Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546011
MD5:	ad348d8fb166c6a092b4e7a111c49d91
SHA1:	da9eedc69ec90c8d1d9465029e2f0c4a69c0b067
SHA256:	d191828c73f166eca4ff2c3da47978dbe680af4512c0d350fc29d082ef949a7c
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6444 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AD348D8FB166C6A092B4E7A111C49D91)

taskkill.exe (PID: 6488 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6780 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6940 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2816 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3492 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 1596 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5500 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2932 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7000 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f675acb6-0950-4792-885b-8e6118ba394d} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 200f2370f10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7424 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -parentBuildID 20230927232528 -prefsHandle 2744 -prefMapHandle 2740 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3f19b71-546d-4e76-a3b3-b98c452652e3} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 200821acb10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8024 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5208 -prefMapHandle 5204 -prefsLen 31336 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d24dd366-d783-4abb-ac2d-1b0d4e0a54d8} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 20083bf3510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6444	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T11:31:25.317873+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49764	TCP
2024-10-31T11:32:04.509990+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49817	TCP

Code function: 0_2_0090EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0090EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0090ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0090EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_008FAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00929576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00929576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1729616365.0000000000952000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9daa8873-a
Source: file.exe, 00000000.00000000.1729616365.0000000000952000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0ee95025-d
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_23d67385-9
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d97e8f5e-6

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000021CE356BB77 NtQuerySystemInformation,		16_2_0000021CE356BB77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000021CE35969F2 NtQuerySystemInformation,		16_2_0000021CE35969F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_008FD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_008F1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008FE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00902046	0_2_00902046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00898060	0_2_00898060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F8298	0_2_008F8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CE4FF	0_2_008CE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C676B	0_2_008C676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924873	0_2_00924873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BCAA0	0_2_008BCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089CAF0	0_2_0089CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008ACC39	0_2_008ACC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C6DD9	0_2_008C6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008991C0	0_2_008991C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AB119	0_2_008AB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B1394	0_2_008B1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B1706	0_2_008B1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B781B	0_2_008B781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B19B0	0_2_008B19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00897920	0_2_00897920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A997D	0_2_008A997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B7A4A	0_2_008B7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B7CA7	0_2_008B7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B1C77	0_2_008B1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C9EEE	0_2_008C9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091BE44	0_2_0091BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B1F32	0_2_008B1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000021CE356BB77	16_2_0000021CE356BB77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000021CE35969F2	16_2_0000021CE35969F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000021CE3596A32	16_2_0000021CE3596A32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000021CE359711C	16_2_0000021CE359711C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008AF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008B0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/32@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009037B5 GetLastError,FormatMessageW,

0_2_009037B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F10BF AdjustTokenPrivileges,CloseHandle,		0_2_008F10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008F16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009051CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008FD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0090648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008942A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1937973925.0000020086363000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980956594.0000020084BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1980956594.0000020084BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1980956594.0000020084BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1980956594.0000020084BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1980956594.0000020084BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1980956594.0000020084BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1980956594.0000020084BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1980956594.0000020084BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1980956594.0000020084BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f675acb6-0950-4792-885b-8e6118ba394d} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 200f2370f10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -parentBuildID 20230927232528 -prefsHandle 2744 -prefMapHandle 2740 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3f19b71-546d-4e76-a3b3-b98c452652e3} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 200821acb10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5208 -prefMapHandle 5204 -prefsLen 31336 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d24dd366-d783-4abb-ac2d-1b0d4e0a54d8} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 20083bf3510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f675acb6-0950-4792-885b-8e6118ba394d} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 200f2370f10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -parentBuildID 20230927232528 -prefsHandle 2744 -prefMapHandle 2740 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3f19b71-546d-4e76-a3b3-b98c452652e3} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 200821acb10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5208 -prefMapHandle 5204 -prefsLen 31336 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d24dd366-d783-4abb-ac2d-1b0d4e0a54d8} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 20083bf3510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1876002066.000002008DA1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1876002066.000002008DA1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1878668144.000002008DA9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1878668144.000002008DA9E000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008942DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B0A76 push ecx; ret

0_2_008B0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008AF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00921C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00921C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96494

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000021CE356BB77 rdtsc

16_2_0000021CE356BB77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008FDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009068EE FindFirstFileW,FindClose,	0_2_009068EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0090698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008FD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008FD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00909642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00909642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0090979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00909B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00909B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00905C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00905C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008942DE

Source: firefox.exe, 0000000F.00000002.2997362858.0000023168B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW;
Source: firefox.exe, 0000000F.00000002.3002165111.0000023169008000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: firefox.exe, 00000010.00000002.3001481417.0000021CE3C90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: firefox.exe, 0000000F.00000002.2997362858.0000023168B4A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2995344888.0000021CE339A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001481417.0000021CE3C90000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2997160234.0000014E9864A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000D.00000003.1975208803.00000200FDBC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966019191.00000200FDBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1940509419.00000200FDBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951406128.00000200FDBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3001612286.0000023168F13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3001481417.0000021CE3C90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: firefox.exe, 0000000F.00000002.3002165111.0000023169008000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001481417.0000021CE3C90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000011.00000002.3000930367.0000014E98A00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000021CE356BB77 rdtsc

16_2_0000021CE356BB77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090EAA2 BlockInput,

0_2_0090EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008C2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008942DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B4CE8 mov eax, dword ptr fs:[00000030h]

0_2_008B4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_008F0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008C2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008B083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B09D5 SetUnhandledExceptionFilter,	0_2_008B09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008B0C21

Source: C:\Users\user\Desktop\file.exe

0_2_008F1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008D2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FB226 SendInput,keybd_event,

0_2_008FB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009122DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_008F0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008F1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1857100211.000002008D909000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B0698 cpuid

0_2_008B0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00908195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00908195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008ED27A GetUserNameW,

0_2_008ED27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008CBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_008CBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008942DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6444, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6444, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00911204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00911204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00911806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00911806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://profiler.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
http://exslt.org/sets	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
http://exslt.org/common	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://www.openh264.org/	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.78	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.186.142	true	false	unknown
reddit.map.fastly.net	151.101.129.140	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.2998237493.0000014E989C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1978316882.000002008A89E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000D.00000003.1807267694.00000200FF161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960098351.00000200FDAB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2998544226.0000023168EC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998141850.0000021CE36EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2998237493.0000014E989F5000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1811336942.000002008A657000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958317450.000002008A65F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903285809.000002008A64F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810722767.000002008A659000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1813089581.000002008A64F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810405478.000002008A64D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.2998237493.0000014E98987000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1926972886.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932404069.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957705765.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971556742.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936358195.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1936358195.000002008A9A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1925784086.000002008B898000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1935329576.000002008B898000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://screenshots.firefox.com	firefox.exe, 0000000D.00000003.1966019191.00000200FDBF0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1775122159.000002008231F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775877106.0000020082377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775300291.000002008233C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775624610.000002008235A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1774943262.0000020082100000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1923219462.000002008C360000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1775122159.000002008231F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832862838.0000020085064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775877106.0000020082377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775300291.000002008233C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1978394242.000002008A82A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775624610.000002008235A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1774943262.0000020082100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834790981.0000020085064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947959005.0000020085064000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com/	firefox.exe, 0000000D.00000003.1975168565.00000200FDBFB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1961526001.0000020085B85000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1775122159.000002008231F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775877106.0000020082377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775300291.000002008233C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775624610.000002008235A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1774943262.0000020082100000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/sets	firefox.exe, 0000000D.00000003.1960780313.00000200FDA8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975537828.00000200FDA8A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1979049613.000002008A549000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972549038.000002008A4FE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1926972886.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932404069.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957705765.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971556742.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936358195.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000D.00000003.1807267694.00000200FF161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960098351.00000200FDAB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2998544226.0000023168EC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998141850.0000021CE36EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2998237493.0000014E989F5000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1830527463.00000200850D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834480435.00000200850D5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/common	firefox.exe, 0000000D.00000003.1960780313.00000200FDA8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975537828.00000200FDA8A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1952559325.000002008A999000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000D.00000003.1921318676.00000200FF161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1975208803.00000200FDBC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966019191.00000200FDBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1940509419.00000200FDBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951406128.00000200FDBBF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/dates-and-times	firefox.exe, 0000000D.00000003.1976015037.00000200FDA61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960780313.00000200FDA43000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000D.00000003.1807267694.00000200FF161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960098351.00000200FDAB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2998544226.0000023168EC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998141850.0000021CE36EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2998237493.0000014E989F5000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000D.00000003.1945361232.0000020081D8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773903222.0000020081D8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957052329.0000020081D8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1780805249.0000020081D8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773461751.0000020081D8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1941305838.000002008A94F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998141850.0000021CE360A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2998237493.0000014E9890C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1845605777.0000020086640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844512358.000002008659D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.2998237493.0000014E989C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1974645177.00000200FE332000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1845605777.0000020086640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840241032.000002008AA4D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1832862838.000002008505B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947959005.000002008505B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834790981.000002008505B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1922613831.000002008C3F8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1923219462.000002008C360000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1975208803.00000200FDBC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1940509419.00000200FDBD4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966019191.00000200FDBD4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966019191.00000200FDBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1940509419.00000200FDBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951406128.00000200FDBBF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1941545987.000002008A91A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953381741.000002008A5AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972450699.000002008A5AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808310420.000002008A5C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998141850.0000021CE3612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2998237493.0000014E98913000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000D.00000003.1960780313.00000200FDA43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976059751.00000200FDA51000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1841402404.00000200865FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845605777.0000020086640000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1830527463.0000020085031000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924680601.00000200850DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953381741.000002008A512000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830527463.00000200850CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834790981.0000020085085000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941668775.000002008A5AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958705383.0000020083531000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834790981.0000020085034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1813089581.000002008A69F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973487313.000002008511D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831426219.0000020084DF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834790981.0000020085031000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1838169013.00000200835FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1822626963.00000200835D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911315101.0000020084DF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925749725.0000020084DF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1833276121.0000020085034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938065703.0000020086354000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964099511.0000020084C7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929328743.00000200835FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961526001.0000020085B4C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1961526001.0000020085B85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.openh264.org/	firefox.exe, 0000000D.00000003.1940509419.00000200FDBD4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966019191.00000200FDBD4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1961526001.0000020085B85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961526001.0000020085B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938190839.0000020085B5A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1964291380.0000020084AF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1928267809.000002008A8EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926364620.000002008B822000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937082859.000002008A8EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1928267809.000002008A8EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926364620.000002008B822000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937082859.000002008A8EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1811336942.000002008A657000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958317450.000002008A65F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903285809.000002008A64F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810722767.000002008A659000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1813089581.000002008A64F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810405478.000002008A64D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1935329576.000002008B898000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1777254771.0000020081B33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1841402404.00000200865FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845605777.0000020086640000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1980908308.0000020084C46000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1964700667.00000200840D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808465730.00000200840D8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1845605777.0000020086640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844512358.000002008659D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1945361232.0000020081D8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773903222.0000020081D8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777254771.0000020081B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957052329.0000020081D8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1780805249.0000020081D8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773461751.0000020081D8C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000D.00000003.1807267694.00000200FF161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960098351.00000200FDAB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2998544226.0000023168EC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998141850.0000021CE36EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2998237493.0000014E989F5000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1972185567.000002008A74F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1937082859.000002008A8EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1774943262.0000020082100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807267694.00000200FF181000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1932404069.000002008A999000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941305838.000002008A999000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775122159.000002008231F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832862838.0000020085064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775877106.0000020082377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775300291.000002008233C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1978394242.000002008A82A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775624610.000002008235A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1774943262.0000020082100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834790981.0000020085064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947959005.0000020085064000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1926972886.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932404069.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957705765.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971556742.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936358195.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2998081248.0000023168C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996433333.0000021CE3500000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997831078.0000014E98770000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1936358195.000002008A9B9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1964291380.0000020084AF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1845605777.0000020086640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844512358.000002008659D000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546011
Start date and time:	2024-10-31 11:30:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/32@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.11.191.138, 35.160.212.113, 54.185.230.140, 172.217.18.14, 2.22.61.59, 2.22.61.56, 216.58.206.78, 142.250.186.170, 142.250.185.106
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
06:31:13	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1	Get hash	malicious	HTMLPhisher	Browse	34.148.73.213
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	https://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!s599af221dbfd41b9a607812ebc66d2cf&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0VpSHltbG45MjdsQnBnZUJMcnhtMHM4QjRNbHFPTTJWd0ZlQTFNLWNhZ0lnRkE_ZT1aak8wczY&wd=target%28Sezione%20senza%20titolo.one%7C99ad2a4b-5ecc-495f-9ce8-040ac62eb8f2%2F%5BExternal%5D%20-%20Invoice%20%27s%208808-%7C9e6e973e-3cda-429a-a28f-c51dc242e5b1%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://invite.bublup.com/q6fU7gLtMrfS	Get hash	malicious	HTMLPhisher	Browse	151.101.128.217
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	UCLouvain.onepkg	Get hash	malicious	Unknown	Browse	199.232.214.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	https://naimestyles.com/rtwo/n/3rrLaAvg41CM3J4mAJYroltS/c3BhY2VpbnZpZGVvc0Blc2EuaW50	Get hash	malicious	HTMLPhisher	Browse	151.101.193.229
	https://management.bafropon.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	151.101.194.137
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1	Get hash	malicious	HTMLPhisher	Browse	34.148.73.213
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b405b65b-7772-40c7-a964-f272747e0b9c.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.186435103897042
Encrypted:	false
SSDEEP:	192:xVrjMXvbMcbhbVbTbfbRbObtbyEl7n8rgJA6WnSrDtTUd/SkDrP:jYAcNhnzFSJcrTBnSrDhUd/h
MD5:	19BB2EDFCB2D57230A1BDB1127B676C0
SHA1:	15A514B634C466FB200BF0B339335CF920D669BE
SHA-256:	BF874A5BC4880841E78F160F1A5FA2ED97CCF43A0C99186D9BD85A721909148D
SHA-512:	4A028B42C96FE0F347E0BDA40AB20781EE29D0A3587B0CC222F2544653EEF6F316D6526248E3E0F63958C1055F0552E98904EB73720BE226C2E1CE423ED07DD7
Malicious:	false
Preview:	{"type":"uninstall","id":"b405b65b-7772-40c7-a964-f272747e0b9c","creationDate":"2024-10-31T12:26:13.360Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b405b65b-7772-40c7-a964-f272747e0b9c.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.186435103897042
Encrypted:	false
SSDEEP:	192:xVrjMXvbMcbhbVbTbfbRbObtbyEl7n8rgJA6WnSrDtTUd/SkDrP:jYAcNhnzFSJcrTBnSrDhUd/h
MD5:	19BB2EDFCB2D57230A1BDB1127B676C0
SHA1:	15A514B634C466FB200BF0B339335CF920D669BE
SHA-256:	BF874A5BC4880841E78F160F1A5FA2ED97CCF43A0C99186D9BD85A721909148D
SHA-512:	4A028B42C96FE0F347E0BDA40AB20781EE29D0A3587B0CC222F2544653EEF6F316D6526248E3E0F63958C1055F0552E98904EB73720BE226C2E1CE423ED07DD7
Malicious:	false
Preview:	{"type":"uninstall","id":"b405b65b-7772-40c7-a964-f272747e0b9c","creationDate":"2024-10-31T12:26:13.360Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925851742007375
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNx9z:8S+OfJQPUFpOdwNIOdYVjvYcXaNLSI8P
MD5:	E3F2FFEA40087C9B183E8C0D9A886C4F
SHA1:	0B84D69468088D216944CF3DC7A635A7FB27955C
SHA-256:	50E09CCDAD489868B4CBF6D8D876876A5E53207AAF796A1E817F1F769B030F89
SHA-512:	A0912C9B5E23463BCB6B1D350E394E6A063179084BFC395F5B23E4B906B85BE7ABBD4D61687EC2854468A70A54CF0A1B6BB01161EEFEEE968EDCBAF18789B864
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925851742007375
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNx9z:8S+OfJQPUFpOdwNIOdYVjvYcXaNLSI8P
MD5:	E3F2FFEA40087C9B183E8C0D9A886C4F
SHA1:	0B84D69468088D216944CF3DC7A635A7FB27955C
SHA-256:	50E09CCDAD489868B4CBF6D8D876876A5E53207AAF796A1E817F1F769B030F89
SHA-512:	A0912C9B5E23463BCB6B1D350E394E6A063179084BFC395F5B23E4B906B85BE7ABBD4D61687EC2854468A70A54CF0A1B6BB01161EEFEEE968EDCBAF18789B864
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733309034670187
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkid4:DLhesh7Owd4+jid4
MD5:	9BDD7365AE5A6BB21394C32F99279CCE
SHA1:	DB975293FB8DC43E769C8B353002C0178A9576EB
SHA-256:	3AA4D06D474607DC0E05E93C71131A6D81DE911A74ACE4AC43F6ED51DAB51866
SHA-512:	324C2C12C5022EE2C4B8E6ADD9A15F46A8AEB463A504488306D4CBF6A4B78A67BEC047C9E048CD67934236BAA624B80BC160A0174CA4349AEF2AB73E1C2D6ED6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035822017202226504
Encrypted:	false
SSDEEP:	3:GtlstFG5RAmwhell3lstFG5RAmwhxtT89//alEl:GtWtE5RAhel1WtE5RAhX89XuM
MD5:	2D09C4175F5F632B2D1C2DDB3B3D8D99
SHA1:	DE3A3468C3E1F57AC8BE95D1CB99B3A0BA938E6E
SHA-256:	48744700F9C65864813452C92305A99F2037F280ED4F4EA7CCA8575548FF40C9
SHA-512:	4F21EC48C7FE0C7310E6D2FECA25ABA3B1BC2AFD2C3F08929C9FB826CD794EA21EEAB1E9376A94FDA5940D7C128AB5B9C494F9BA6FA970C7C994B0B8EDB8C2D0
Malicious:	false
Preview:	..-.....................Qj.9......(}.{#1..?.@L..-.....................Qj.9......(}.{#1..?.@L........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039876235365495935
Encrypted:	false
SSDEEP:	3:Ol13Yxma1P/lo/fUib0rpl8rEXsxdwhml8XW3R2:KBWpIPSpl8dMhm93w
MD5:	7BFC7D7EBECAC2EFE80503B981E58C5D
SHA1:	76FEF2771D7906DF6CD620D78D9C3DB2ECF5116D
SHA-256:	C00B60887D2B0F36E7C9A832CC0078275857769FAD65D33A61CD17ED6AB28702
SHA-512:	661DB1C90CB13FA8E56450C54EE1CBB898EBCF52C4A813AA3368A4649660040390221E729A1AD503EC92AEC2B7CCB3C78423EAFAA170B776F51374AF00DA6BB4
Malicious:	false
Preview:	7....-............(}.{R..r.F..........(}.{9.jQ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49562298669412
Encrypted:	false
SSDEEP:	192:PnaRtLYbBp6ahj4qyaaXP6KmHNKL5RfGNBw8dDSl:6eEqZltIcws0
MD5:	7AECF80058E74E470E1B32701DCA1736
SHA1:	3CBCA15F245BE6DB82F09937AF627107BC194CAF
SHA-256:	24BD189985AB3DA70A6F3C6686E5BCED7F6E431B8052884E29382790E913C6CC
SHA-512:	C2D94113FED95392BEB571C6DD6673B97E862990937250067EFF4D551A1AFAAA51EFEC54B90EF0B2E595FDA1D25011E5144BC0C8146746BAE937F957D2674481
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730377543);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730377543);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730377543);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173037

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49562298669412
Encrypted:	false
SSDEEP:	192:PnaRtLYbBp6ahj4qyaaXP6KmHNKL5RfGNBw8dDSl:6eEqZltIcws0
MD5:	7AECF80058E74E470E1B32701DCA1736
SHA1:	3CBCA15F245BE6DB82F09937AF627107BC194CAF
SHA-256:	24BD189985AB3DA70A6F3C6686E5BCED7F6E431B8052884E29382790E913C6CC
SHA-512:	C2D94113FED95392BEB571C6DD6673B97E862990937250067EFF4D551A1AFAAA51EFEC54B90EF0B2E595FDA1D25011E5144BC0C8146746BAE937F957D2674481
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730377543);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730377543);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730377543);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173037

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.332369241301678
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS4JkLXnIgi/pnxQwRlszT5sKt3o3eHVQj6TGamhujJlOsIomNVr0ay:GUpOxJ2SnR6po3eHTG4JlIquR4
MD5:	7B9D0545518932F727B39A8D99252DE5
SHA1:	4AF95350F0B8A2A90F0D1F96D5EB0ECBE987BDB8
SHA-256:	E5BC4F6DD266EC380824913C3651DFC3C40FF97E88C42D402E4B4A449FFAE8A8
SHA-512:	C33234785429E27881E3890D77C258EDF6920D72D07DA194A39484527A1A2EBCA7CA15C01920CC40B37B39B36C8C0DA9F201B4A34A31E70706467A6F8D7E2EB3
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{88d83d9f-4747-4599-98e5-0de23ddc91b6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730377547762,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0130...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...17196,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.332369241301678
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS4JkLXnIgi/pnxQwRlszT5sKt3o3eHVQj6TGamhujJlOsIomNVr0ay:GUpOxJ2SnR6po3eHTG4JlIquR4
MD5:	7B9D0545518932F727B39A8D99252DE5
SHA1:	4AF95350F0B8A2A90F0D1F96D5EB0ECBE987BDB8
SHA-256:	E5BC4F6DD266EC380824913C3651DFC3C40FF97E88C42D402E4B4A449FFAE8A8
SHA-512:	C33234785429E27881E3890D77C258EDF6920D72D07DA194A39484527A1A2EBCA7CA15C01920CC40B37B39B36C8C0DA9F201B4A34A31E70706467A6F8D7E2EB3
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{88d83d9f-4747-4599-98e5-0de23ddc91b6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730377547762,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0130...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...17196,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.332369241301678
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS4JkLXnIgi/pnxQwRlszT5sKt3o3eHVQj6TGamhujJlOsIomNVr0ay:GUpOxJ2SnR6po3eHTG4JlIquR4
MD5:	7B9D0545518932F727B39A8D99252DE5
SHA1:	4AF95350F0B8A2A90F0D1F96D5EB0ECBE987BDB8
SHA-256:	E5BC4F6DD266EC380824913C3651DFC3C40FF97E88C42D402E4B4A449FFAE8A8
SHA-512:	C33234785429E27881E3890D77C258EDF6920D72D07DA194A39484527A1A2EBCA7CA15C01920CC40B37B39B36C8C0DA9F201B4A34A31E70706467A6F8D7E2EB3
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{88d83d9f-4747-4599-98e5-0de23ddc91b6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730377547762,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0130...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...17196,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033158891258581
Encrypted:	false
SSDEEP:	48:YrSAYnj6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycjyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	41FCA3E2AFD02F0A0B050830112A3936
SHA1:	C7E080B18D0D6D31E5758F0AADACF2D5913C80B7
SHA-256:	E22E4AC55D7DFE0E0D8325E493DFFA1428DAD805CB82EC1F709070971F5A182D
SHA-512:	82DF4D14CF9038F53CFEA9AAFB228DC921C546658D6E119FACD6BAF58804DB071EA5773958F39497139EE49CED10CF24FCE5F3546A6CA1C4278ADCB674C599FE
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T12:25:20.616Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033158891258581
Encrypted:	false
SSDEEP:	48:YrSAYnj6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycjyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	41FCA3E2AFD02F0A0B050830112A3936
SHA1:	C7E080B18D0D6D31E5758F0AADACF2D5913C80B7
SHA-256:	E22E4AC55D7DFE0E0D8325E493DFFA1428DAD805CB82EC1F709070971F5A182D
SHA-512:	82DF4D14CF9038F53CFEA9AAFB228DC921C546658D6E119FACD6BAF58804DB071EA5773958F39497139EE49CED10CF24FCE5F3546A6CA1C4278ADCB674C599FE
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T12:25:20.616Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584707951208129
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	ad348d8fb166c6a092b4e7a111c49d91
SHA1:	da9eedc69ec90c8d1d9465029e2f0c4a69c0b067
SHA256:	d191828c73f166eca4ff2c3da47978dbe680af4512c0d350fc29d082ef949a7c
SHA512:	d39d6b1c69b02658c2a1fc08d28299e67910d88ef4b138d26f0d9eb3792050ae3753d287fbc415092627a93d65bf7746c111f9480a0dc79d0729a6fc30725bd0
SSDEEP:	12288:yqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TV:yqDEvCTbMWu7rQYlBQcBiT6rprG8abV
TLSH:	84159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67235BDE [Thu Oct 31 10:28:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8984B62DF3h
jmp 00007F8984B626FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8984B628DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8984B628AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8984B6549Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8984B654E8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8984B654D1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	5281c95682f1c122c42b961014b92454	False	0.3156398338607595	data	5.374209589283537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T11:31:25.317873+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.4	49764	TCP
2024-10-31T11:32:04.509990+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49817	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 11:31:11.734139919 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:11.734206915 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:11.734668016 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:11.746124983 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:11.746145010 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:12.358685970 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:12.363339901 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:12.367609024 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:12.378954887 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:12.378964901 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:12.378994942 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:12.379273891 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:12.389777899 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:13.839238882 CET	49738	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:13.839293003 CET	443	49738	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:13.839704990 CET	49738	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:13.841192007 CET	49738	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:13.841204882 CET	443	49738	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:13.966167927 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:13.971220970 CET	80	49739	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:13.972280979 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:13.972526073 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:13.977353096 CET	80	49739	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:14.284398079 CET	49740	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:14.284444094 CET	443	49740	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:14.285171986 CET	49740	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:14.286633015 CET	49740	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:14.286652088 CET	443	49740	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:14.485131979 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:14.485263109 CET	443	49741	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:14.485814095 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:14.487291098 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:14.487334967 CET	443	49741	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:14.487898111 CET	49742	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:14.487926006 CET	443	49742	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:14.489298105 CET	49742	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:14.489536047 CET	49742	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:14.489561081 CET	443	49742	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:14.527671099 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:14.527693987 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:14.527781963 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:14.529148102 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:14.529160976 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:14.583197117 CET	80	49739	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:14.636411905 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:14.659919024 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:14.664904118 CET	80	49745	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:14.671734095 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:14.671910048 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:14.676795959 CET	80	49745	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:14.715617895 CET	443	49738	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:14.715696096 CET	49738	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:14.716362000 CET	443	49738	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:14.716914892 CET	49738	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:14.723649025 CET	49738	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:14.723681927 CET	443	49738	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:14.723697901 CET	49738	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:14.723938942 CET	443	49738	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:14.724473000 CET	49738	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:15.114270926 CET	443	49742	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.114413023 CET	49742	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.117916107 CET	49742	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.117949009 CET	443	49742	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.118366957 CET	443	49742	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.120827913 CET	49742	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.120923042 CET	49742	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.121049881 CET	443	49742	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.121114969 CET	49742	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.134082079 CET	443	49740	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:15.134164095 CET	49740	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:15.134761095 CET	443	49740	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:15.135037899 CET	49740	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:15.135617018 CET	443	49741	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.135688066 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.140176058 CET	49740	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:15.140189886 CET	443	49740	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:15.140346050 CET	443	49740	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:15.140418053 CET	49740	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:15.140567064 CET	49740	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:15.140579939 CET	443	49740	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:15.141098022 CET	49746	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:15.141144991 CET	443	49746	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:15.141217947 CET	49746	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:15.142594099 CET	49746	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:15.142610073 CET	443	49746	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:15.143982887 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.144027948 CET	443	49741	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.144076109 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.144360065 CET	443	49741	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.144399881 CET	49747	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.144443035 CET	443	49747	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.144469976 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.144548893 CET	49747	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.145931005 CET	49747	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.145956039 CET	443	49747	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.168319941 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:15.173599005 CET	80	49739	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:15.175684929 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:15.199733973 CET	49748	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.199788094 CET	443	49748	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.200375080 CET	49749	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:15.200419903 CET	443	49749	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:15.200861931 CET	49748	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.200865030 CET	49749	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:15.201097965 CET	49748	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.201112986 CET	443	49748	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.202619076 CET	49749	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:15.202641964 CET	443	49749	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:15.202747107 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:15.207551956 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:15.208494902 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:15.208693027 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:15.213469982 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:15.274766922 CET	80	49745	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:15.276285887 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:15.281544924 CET	80	49745	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:15.287399054 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:15.477895021 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.483344078 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.491617918 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.500866890 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.500904083 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.500983000 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.501605988 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.503560066 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.714123011 CET	49751	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.714190960 CET	443	49751	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.718224049 CET	49751	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.719618082 CET	49751	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.719635963 CET	443	49751	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.758477926 CET	443	49747	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.767184973 CET	49747	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.803575039 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:15.805305004 CET	443	49748	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.815337896 CET	443	49748	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.816302061 CET	49748	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.823020935 CET	49748	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.823039055 CET	443	49748	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.823322058 CET	443	49748	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.826061964 CET	49747	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.826092958 CET	443	49747	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.826136112 CET	49747	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.826378107 CET	443	49747	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:15.827009916 CET	49748	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.827070951 CET	49748	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.827174902 CET	443	49748	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:15.831932068 CET	49748	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.831953049 CET	49747	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:15.831964970 CET	49748	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:15.846195936 CET	443	49749	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:15.846424103 CET	49749	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:15.850755930 CET	49749	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:15.850755930 CET	49749	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:15.850766897 CET	443	49749	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:15.850979090 CET	443	49749	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:15.851070881 CET	49749	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:15.868585110 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:15.990248919 CET	443	49746	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:15.990852118 CET	443	49746	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:15.994806051 CET	49746	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:15.994827986 CET	443	49746	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:16.005747080 CET	49746	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:16.005759954 CET	443	49746	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:16.005842924 CET	49746	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:16.006055117 CET	443	49746	142.250.186.78	192.168.2.4
Oct 31, 2024 11:31:16.007093906 CET	49746	443	192.168.2.4	142.250.186.78
Oct 31, 2024 11:31:16.164459944 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:16.169419050 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:16.169615030 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:16.169756889 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:16.174551010 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:16.175178051 CET	49753	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:16.175256014 CET	443	49753	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:16.175396919 CET	49753	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:16.176738977 CET	49753	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:16.176774979 CET	443	49753	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:16.326335907 CET	443	49751	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:16.326427937 CET	49751	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:16.330348015 CET	49751	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:16.330360889 CET	443	49751	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:16.330488920 CET	49751	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:16.330569029 CET	443	49751	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:16.330893993 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:16.330934048 CET	443	49755	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:16.330950975 CET	49751	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:16.331111908 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:16.332649946 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:16.332663059 CET	443	49755	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:16.667185068 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:16.672085047 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:16.773000002 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:16.786360025 CET	443	49753	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:16.786464930 CET	49753	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:16.791667938 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:16.817878008 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:16.833504915 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:16.857297897 CET	49753	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:16.857336044 CET	443	49753	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:16.857382059 CET	49753	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:16.857733965 CET	443	49753	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:16.857820988 CET	49753	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:16.949500084 CET	443	49755	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:16.949589968 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:16.954380989 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:16.954392910 CET	443	49755	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:16.954423904 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:16.954570055 CET	443	49755	34.117.188.166	192.168.2.4
Oct 31, 2024 11:31:16.954628944 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 11:31:17.194046021 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:17.202781916 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:17.278256893 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:17.283401966 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:17.298353910 CET	49756	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.298402071 CET	443	49756	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:17.300035000 CET	49757	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:17.300060987 CET	443	49757	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:17.301507950 CET	49756	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.301599979 CET	49757	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:17.301758051 CET	49756	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.301778078 CET	443	49756	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:17.303097963 CET	49757	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:17.303117990 CET	443	49757	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:17.319787979 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:17.366163969 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:17.402618885 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:17.450862885 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:17.903004885 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:17.907846928 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:17.909080029 CET	443	49757	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:17.916563988 CET	49757	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:17.921165943 CET	49757	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:17.921202898 CET	443	49757	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:17.921281099 CET	49757	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:17.921427011 CET	443	49757	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:17.921499014 CET	49757	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:17.940948963 CET	443	49756	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:17.941026926 CET	49756	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.943939924 CET	49756	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.943950891 CET	443	49756	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:17.944212914 CET	443	49756	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:17.946872950 CET	49756	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.947006941 CET	49756	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.947019100 CET	443	49756	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:17.947079897 CET	49756	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.947382927 CET	49759	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.947423935 CET	443	49759	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:17.947501898 CET	49759	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.947638035 CET	49759	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:17.947653055 CET	443	49759	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:18.029129028 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:18.071784019 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:18.546123028 CET	443	49759	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:18.546200991 CET	49759	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:18.582055092 CET	49759	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:18.582096100 CET	443	49759	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:18.582362890 CET	443	49759	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:18.584844112 CET	49759	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:18.584928989 CET	49759	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:18.585021973 CET	443	49759	34.160.144.191	192.168.2.4
Oct 31, 2024 11:31:18.585357904 CET	49759	443	192.168.2.4	34.160.144.191
Oct 31, 2024 11:31:18.696418047 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:18.698376894 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:18.698414087 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:18.701267004 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:18.702970028 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:18.704294920 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:18.704307079 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:18.820612907 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:18.866159916 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:19.320225954 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:19.322105885 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:19.378381968 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:19.378403902 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:19.378563881 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:19.378582001 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:19.378591061 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:19.378720045 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:22.344506979 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:22.349313974 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:22.470345974 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:22.512268066 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:22.600981951 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:22.601037025 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:22.611545086 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:22.611622095 CET	443	49762	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:22.612713099 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:22.612740040 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:22.614765882 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:22.614799976 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:22.616065979 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:22.616101027 CET	443	49762	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:22.812447071 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:22.814928055 CET	49763	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:22.814977884 CET	443	49763	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:22.817379951 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:22.823508024 CET	49763	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:22.838200092 CET	49763	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:22.838232994 CET	443	49763	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:22.937350988 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:23.016844988 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:23.233083010 CET	443	49762	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:23.233195066 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:23.236140013 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:23.236155033 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:23.237668991 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:23.237687111 CET	443	49762	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:23.237746954 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:23.237885952 CET	443	49762	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:23.238001108 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:23.238013029 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:23.242367983 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:23.242382050 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:23.242453098 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:23.242588997 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:23.243060112 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:23.536401033 CET	443	49763	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:23.536410093 CET	443	49763	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:23.536524057 CET	49763	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:23.540565014 CET	49763	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:23.540576935 CET	443	49763	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:23.540601015 CET	49763	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:23.540803909 CET	443	49763	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:23.540927887 CET	49763	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:25.117744923 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:25.119926929 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:25.119977951 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:25.123548031 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:25.125945091 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:25.244838953 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:25.304254055 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:26.443320036 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:26.443340063 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:26.750792980 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:26.755645990 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:26.875216007 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:26.937335968 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:27.039521933 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:27.039685965 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:27.698551893 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:27.698551893 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:27.698579073 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:27.698820114 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:27.702137947 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:28.321846962 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:28.642349005 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:28.900255919 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:29.040971994 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.041028023 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.043600082 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.044090033 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.044117928 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.054250002 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.054281950 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.056320906 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:29.056335926 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:29.056444883 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:29.057461023 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.057578087 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.057594061 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.058103085 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:29.105904102 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:29.106920958 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.106980085 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.107212067 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.107251883 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.111299992 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.111335993 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.111466885 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.111499071 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.111598015 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.111610889 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.177747965 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:29.220251083 CET	49775	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.220298052 CET	443	49775	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.221987009 CET	49775	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.223051071 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:29.224301100 CET	49775	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.224313021 CET	443	49775	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.228362083 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:29.233323097 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:29.354640007 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:29.406866074 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:29.657413960 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.657561064 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.690715075 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.690788984 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.710882902 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.710959911 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.717344999 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.717426062 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.823973894 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.824004889 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.824305058 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.829472065 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.829488039 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.829761028 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.846440077 CET	443	49775	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.848177910 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.848221064 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.848464012 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.848767996 CET	49775	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.866997004 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.867012978 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.867340088 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.872880936 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.873059034 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.873147964 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.873295069 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.873368025 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.873378992 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.873393059 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.873550892 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.873909950 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.873987913 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.874089003 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.874100924 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.874145985 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.874219894 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.874387980 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.874442101 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.875961065 CET	49775	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.875982046 CET	443	49775	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.876029968 CET	49775	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:29.876116991 CET	443	49775	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:29.876178026 CET	49775	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:30.087331057 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:30.087404966 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:30.145780087 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:30.151179075 CET	49776	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:30.151230097 CET	443	49776	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:30.151758909 CET	49776	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:30.152575970 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:30.153191090 CET	49776	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:30.153208017 CET	443	49776	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:30.272218943 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:30.280380964 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:30.289556980 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:30.325154066 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:30.406378031 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:30.447616100 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:30.771291018 CET	443	49776	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:30.772258043 CET	49776	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:31.467461109 CET	49776	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:31.467497110 CET	443	49776	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:31.467562914 CET	49776	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:31.467783928 CET	443	49776	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:31.468724012 CET	49776	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:31.716851950 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:31.719769955 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:31.719811916 CET	443	49777	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:31.719891071 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:31.721303940 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:31.721321106 CET	443	49777	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:31.722306013 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:31.842256069 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:31.845747948 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:31.850970030 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:31.882961988 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:31.971497059 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:32.014465094 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:32.326622009 CET	443	49777	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:32.326704025 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:32.331988096 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:32.331999063 CET	443	49777	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:32.332107067 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:32.332263947 CET	443	49777	34.120.208.123	192.168.2.4
Oct 31, 2024 11:31:32.333620071 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:31:32.335048914 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:32.339950085 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:32.459712029 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:32.463643074 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:32.470139980 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:32.515965939 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:32.590698957 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:32.631885052 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:35.368114948 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:35.368139982 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:35.368377924 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:35.369836092 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:35.369854927 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:35.996691942 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:35.996805906 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:36.006386995 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:36.006406069 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:36.006477118 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:36.006736040 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:36.009424925 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:36.010520935 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:36.014720917 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:36.134294987 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:36.138258934 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:36.143199921 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:36.179841042 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:36.264215946 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:36.311395884 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:40.735980034 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:40.736002922 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:40.740514994 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:40.740659952 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:40.740674019 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:40.767357111 CET	49780	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:40.767399073 CET	443	49780	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:40.767683029 CET	49780	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:40.767843962 CET	49780	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:40.767854929 CET	443	49780	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:40.771497011 CET	49781	443	192.168.2.4	151.101.129.91
Oct 31, 2024 11:31:40.771529913 CET	443	49781	151.101.129.91	192.168.2.4
Oct 31, 2024 11:31:40.771991968 CET	49781	443	192.168.2.4	151.101.129.91
Oct 31, 2024 11:31:40.772072077 CET	49781	443	192.168.2.4	151.101.129.91
Oct 31, 2024 11:31:40.772078991 CET	443	49781	151.101.129.91	192.168.2.4
Oct 31, 2024 11:31:40.803385019 CET	49782	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:40.803440094 CET	443	49782	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:40.807195902 CET	49782	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:40.811949968 CET	49782	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:40.811966896 CET	443	49782	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:40.820164919 CET	49783	443	192.168.2.4	35.201.103.21
Oct 31, 2024 11:31:40.820204020 CET	443	49783	35.201.103.21	192.168.2.4
Oct 31, 2024 11:31:40.821043968 CET	49783	443	192.168.2.4	35.201.103.21
Oct 31, 2024 11:31:40.823391914 CET	49783	443	192.168.2.4	35.201.103.21
Oct 31, 2024 11:31:40.823409081 CET	443	49783	35.201.103.21	192.168.2.4
Oct 31, 2024 11:31:41.361952066 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:41.362054110 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.365559101 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.365566969 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:41.365796089 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:41.368155956 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.368280888 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.368304968 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:41.368982077 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.372792959 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:41.374174118 CET	443	49780	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:41.374263048 CET	49780	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:41.377286911 CET	49780	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:41.377296925 CET	443	49780	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:41.377500057 CET	443	49780	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:41.377798080 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:41.378295898 CET	443	49781	151.101.129.91	192.168.2.4
Oct 31, 2024 11:31:41.378366947 CET	49781	443	192.168.2.4	151.101.129.91
Oct 31, 2024 11:31:41.381136894 CET	49781	443	192.168.2.4	151.101.129.91
Oct 31, 2024 11:31:41.381141901 CET	443	49781	151.101.129.91	192.168.2.4
Oct 31, 2024 11:31:41.381355047 CET	443	49781	151.101.129.91	192.168.2.4
Oct 31, 2024 11:31:41.383039951 CET	49780	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:41.383130074 CET	49780	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:41.383153915 CET	443	49780	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:41.384480953 CET	49780	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:41.384740114 CET	49781	443	192.168.2.4	151.101.129.91
Oct 31, 2024 11:31:41.384820938 CET	49781	443	192.168.2.4	151.101.129.91
Oct 31, 2024 11:31:41.384877920 CET	443	49781	151.101.129.91	192.168.2.4
Oct 31, 2024 11:31:41.384973049 CET	49781	443	192.168.2.4	151.101.129.91
Oct 31, 2024 11:31:41.392700911 CET	49784	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.392744064 CET	443	49784	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:41.393352032 CET	49784	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.393472910 CET	49784	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.393485069 CET	443	49784	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:41.394769907 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.394810915 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:41.395021915 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.395134926 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.395155907 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:41.397228003 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.397237062 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:41.397464037 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.397581100 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:41.397593021 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:41.418611050 CET	443	49782	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:41.418714046 CET	49782	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:41.423213005 CET	49782	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:41.423229933 CET	443	49782	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:41.423320055 CET	49782	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:41.423413992 CET	443	49782	35.190.72.216	192.168.2.4
Oct 31, 2024 11:31:41.423738003 CET	49782	443	192.168.2.4	35.190.72.216
Oct 31, 2024 11:31:41.448662043 CET	443	49783	35.201.103.21	192.168.2.4
Oct 31, 2024 11:31:41.448868990 CET	49783	443	192.168.2.4	35.201.103.21
Oct 31, 2024 11:31:41.452980995 CET	49783	443	192.168.2.4	35.201.103.21
Oct 31, 2024 11:31:41.452986956 CET	443	49783	35.201.103.21	192.168.2.4
Oct 31, 2024 11:31:41.453078985 CET	49783	443	192.168.2.4	35.201.103.21
Oct 31, 2024 11:31:41.453238964 CET	443	49783	35.201.103.21	192.168.2.4
Oct 31, 2024 11:31:41.453301907 CET	49783	443	192.168.2.4	35.201.103.21
Oct 31, 2024 11:31:41.465241909 CET	49787	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:41.465281963 CET	443	49787	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:41.465387106 CET	49787	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:41.465481043 CET	49787	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:41.465490103 CET	443	49787	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:41.497385025 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:41.500927925 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:41.505925894 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:41.542809010 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:41.627888918 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:41.681025028 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:42.002746105 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.002964020 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.006032944 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.006045103 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.006249905 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.009270906 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.009398937 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.009407997 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.009418011 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.010786057 CET	443	49784	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.010924101 CET	49784	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.014290094 CET	49784	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.014300108 CET	443	49784	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.014661074 CET	443	49784	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.016951084 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:42.017539024 CET	49784	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.017612934 CET	49784	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.017791986 CET	443	49784	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.020021915 CET	49784	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.020046949 CET	49784	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.022934914 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:42.073837996 CET	443	49787	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:42.073944092 CET	49787	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:42.078984976 CET	49787	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:42.078996897 CET	443	49787	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:42.079345942 CET	443	49787	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:42.082129955 CET	49787	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:42.082221031 CET	49787	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:42.082321882 CET	443	49787	34.149.100.209	192.168.2.4
Oct 31, 2024 11:31:42.082772970 CET	49787	443	192.168.2.4	34.149.100.209
Oct 31, 2024 11:31:42.141243935 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:42.146871090 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:42.151808977 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:42.198044062 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:42.219336033 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.219403982 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.272826910 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:42.313930035 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:42.384469986 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.384546041 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.387595892 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.387612104 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.387835026 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.390594959 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.390705109 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.390744925 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 11:31:42.390923977 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 11:31:42.393749952 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:42.398766041 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:42.518758059 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:42.522442102 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:42.527344942 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:42.561343908 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:42.648644924 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:42.699413061 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:52.527091026 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:52.531946898 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:52.658627987 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:52.663578033 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:56.032222986 CET	49789	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:56.032280922 CET	443	49789	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:56.032565117 CET	49789	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:56.033802986 CET	49789	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:56.033828020 CET	443	49789	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:56.646745920 CET	443	49789	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:56.646852016 CET	49789	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:56.651705027 CET	49789	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:56.651762009 CET	443	49789	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:56.651813030 CET	49789	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:56.651998997 CET	443	49789	34.107.243.93	192.168.2.4
Oct 31, 2024 11:31:56.652064085 CET	49789	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:31:56.654452085 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:56.659252882 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:56.778925896 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:56.784353018 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:56.789299011 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:56.824084044 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:56.910891056 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:56.955601931 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:57.183456898 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:57.188400030 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:57.307744026 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:57.310811996 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:57.315619946 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:57.356861115 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:31:57.436916113 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:31:57.488477945 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:07.316519976 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:07.321547031 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:07.454834938 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:07.459758043 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:10.884141922 CET	49857	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:10.884172916 CET	443	49857	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:10.884502888 CET	49858	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:10.884553909 CET	443	49858	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:10.884668112 CET	49859	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:10.884676933 CET	443	49859	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:10.896327019 CET	49857	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:10.896442890 CET	49859	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:10.896444082 CET	49858	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:10.896667957 CET	49857	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:10.896686077 CET	443	49857	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:10.896908045 CET	49858	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:10.896924019 CET	443	49858	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:10.897032976 CET	49859	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:10.897046089 CET	443	49859	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.500427961 CET	443	49857	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.500444889 CET	443	49857	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.500566959 CET	49857	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.503997087 CET	49857	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.504019022 CET	443	49857	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.504309893 CET	443	49857	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.506433010 CET	49857	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.506519079 CET	49857	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.506592035 CET	443	49857	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.506655931 CET	49857	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.506678104 CET	49857	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.508008957 CET	443	49859	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.508024931 CET	443	49859	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.508084059 CET	49859	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.510560036 CET	49859	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.510567904 CET	443	49859	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.510838032 CET	443	49859	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.512679100 CET	49859	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.512775898 CET	49859	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.512849092 CET	443	49859	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.513134003 CET	49859	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.519226074 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:11.524162054 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:11.536685944 CET	443	49858	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.536700964 CET	443	49858	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.536753893 CET	49858	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.539169073 CET	49858	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.539182901 CET	443	49858	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.539416075 CET	443	49858	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.541479111 CET	49858	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.541560888 CET	49858	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.541626930 CET	443	49858	34.120.208.123	192.168.2.4
Oct 31, 2024 11:32:11.542249918 CET	49858	443	192.168.2.4	34.120.208.123
Oct 31, 2024 11:32:11.644097090 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:11.669761896 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:11.674673080 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:11.698612928 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:11.795905113 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:11.845783949 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:21.659423113 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:21.664237976 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:21.797595024 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:21.802582026 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:31.674416065 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:31.679538965 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:31.806024075 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:31.810949087 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:37.093543053 CET	50003	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:32:37.093586922 CET	443	50003	34.107.243.93	192.168.2.4
Oct 31, 2024 11:32:37.093920946 CET	50003	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:32:37.095520020 CET	50003	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:32:37.095541000 CET	443	50003	34.107.243.93	192.168.2.4
Oct 31, 2024 11:32:37.709474087 CET	443	50003	34.107.243.93	192.168.2.4
Oct 31, 2024 11:32:37.709563971 CET	50003	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:32:37.715862989 CET	50003	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:32:37.715887070 CET	443	50003	34.107.243.93	192.168.2.4
Oct 31, 2024 11:32:37.716018915 CET	50003	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:32:37.716065884 CET	443	50003	34.107.243.93	192.168.2.4
Oct 31, 2024 11:32:37.716296911 CET	50003	443	192.168.2.4	34.107.243.93
Oct 31, 2024 11:32:37.719212055 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:37.724123955 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:37.844033957 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:37.848931074 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:37.853930950 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:37.892499924 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:37.978744030 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:38.023994923 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:47.853821039 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:47.860222101 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:47.992014885 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:47.997107983 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:57.866513014 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:57.871423960 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:32:58.004618883 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:32:58.009581089 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 11:33:07.880937099 CET	49750	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:33:07.885999918 CET	80	49750	34.107.221.82	192.168.2.4
Oct 31, 2024 11:33:08.012754917 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 11:33:08.017887115 CET	80	49752	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 11:31:11.750138044 CET	53104	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:11.758157969 CET	53	53104	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:11.768392086 CET	56430	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:11.775723934 CET	53	56430	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:13.826610088 CET	55234	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:13.830620050 CET	58615	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:13.837901115 CET	53389	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:13.838176966 CET	53	58615	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:13.839623928 CET	50028	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:13.845202923 CET	53	53389	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:13.845732927 CET	53168	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:13.846275091 CET	53	50028	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:13.846682072 CET	51000	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:13.852921009 CET	53	53168	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:13.856559038 CET	53	51000	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.475930929 CET	51895	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.483171940 CET	53	51895	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.485565901 CET	52295	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.488373041 CET	64948	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.492567062 CET	53	52295	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.496125937 CET	53	64948	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.502209902 CET	49188	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.502861977 CET	64880	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.509151936 CET	53	49188	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.511548996 CET	53	64880	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.518748045 CET	63391	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.521095991 CET	59213	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.525491953 CET	53	63391	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.528317928 CET	57107	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.536356926 CET	53	57107	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.563195944 CET	50590	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.570369005 CET	53	50590	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.570805073 CET	53	61162	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.642915010 CET	61353	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.643330097 CET	63976	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.649934053 CET	53	63976	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.649986982 CET	53	61353	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.650542021 CET	60185	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.753659964 CET	51436	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.760668993 CET	53	51436	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.768899918 CET	50729	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.775815010 CET	53	50729	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:14.776356936 CET	55643	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:14.783107996 CET	53	55643	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:16.175333023 CET	53947	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:16.182564974 CET	53	53947	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:16.186356068 CET	65273	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:16.193162918 CET	53	65273	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:17.287448883 CET	53835	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:17.296219110 CET	53	53835	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:17.299176931 CET	50554	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:17.305949926 CET	53	50554	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:17.309860945 CET	58814	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:17.316550970 CET	53	58814	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.492429018 CET	55536	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.499346018 CET	53	55536	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.525470018 CET	60897	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.525674105 CET	57004	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.525862932 CET	57588	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.532555103 CET	53	57004	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.532804966 CET	53	60897	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.533704996 CET	53	57588	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.534389973 CET	54594	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.541721106 CET	53	54594	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.579530001 CET	55583	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.581842899 CET	58237	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.582130909 CET	55563	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.587013006 CET	53	55583	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.588479996 CET	53	58237	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.588865042 CET	53	55563	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.590447903 CET	53636	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.591746092 CET	57536	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.592031002 CET	49483	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.597928047 CET	53	53636	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.598563910 CET	53	57536	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.599020004 CET	53	49483	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.603277922 CET	62254	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.603277922 CET	56566	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.610152006 CET	53	56566	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.610781908 CET	62987	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.610816002 CET	53	62254	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.611619949 CET	52081	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:18.617321968 CET	53	62987	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.620089054 CET	53	52081	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:18.700840950 CET	53112	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:22.338202953 CET	55501	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:22.345494032 CET	53	55501	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:22.406755924 CET	59719	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:22.414006948 CET	53	59719	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:22.415770054 CET	52905	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:22.423487902 CET	53	52905	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:22.589616060 CET	58610	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:22.597203016 CET	53	58610	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:22.612521887 CET	54672	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:22.619402885 CET	53	54672	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:22.620440960 CET	51806	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:22.627180099 CET	53	51806	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:22.813849926 CET	52655	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:22.821516037 CET	53	52655	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:22.968044996 CET	60324	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:22.975032091 CET	53	60324	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:29.041757107 CET	58626	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:29.060038090 CET	53	58626	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:35.368685961 CET	60228	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:35.376121044 CET	53	60228	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:40.735434055 CET	60141	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:40.742369890 CET	53	60141	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:40.763057947 CET	52166	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:40.770531893 CET	53	52166	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:40.771935940 CET	63848	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:40.779012918 CET	53	63848	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:40.789664030 CET	65002	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:40.797352076 CET	53	65002	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:40.806197882 CET	50334	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:40.813245058 CET	53	50334	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:40.820957899 CET	52143	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:40.828371048 CET	53	52143	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:40.836693048 CET	54840	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:40.844101906 CET	53	54840	1.1.1.1	192.168.2.4
Oct 31, 2024 11:31:56.032959938 CET	51615	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:31:56.039953947 CET	53	51615	1.1.1.1	192.168.2.4
Oct 31, 2024 11:32:10.882126093 CET	58706	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:32:10.889489889 CET	53	58706	1.1.1.1	192.168.2.4
Oct 31, 2024 11:32:11.519532919 CET	59495	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:32:36.660674095 CET	50106	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:32:37.092048883 CET	53	50106	1.1.1.1	192.168.2.4
Oct 31, 2024 11:32:37.093786001 CET	53015	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:32:37.100797892 CET	53	53015	1.1.1.1	192.168.2.4
Oct 31, 2024 11:32:37.719535112 CET	60853	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 11:31:11.750138044 CET	192.168.2.4	1.1.1.1	0x3f89	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:11.768392086 CET	192.168.2.4	1.1.1.1	0x7956	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 11:31:13.826610088 CET	192.168.2.4	1.1.1.1	0xfe0e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:13.830620050 CET	192.168.2.4	1.1.1.1	0xf748	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:13.837901115 CET	192.168.2.4	1.1.1.1	0xa14	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:13.839623928 CET	192.168.2.4	1.1.1.1	0x8ea0	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:13.845732927 CET	192.168.2.4	1.1.1.1	0xd0a1	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 11:31:13.846682072 CET	192.168.2.4	1.1.1.1	0xb580	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:14.475930929 CET	192.168.2.4	1.1.1.1	0x9fb2	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.485565901 CET	192.168.2.4	1.1.1.1	0x7a80	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.488373041 CET	192.168.2.4	1.1.1.1	0x9e8e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.502209902 CET	192.168.2.4	1.1.1.1	0x7a69	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 11:31:14.502861977 CET	192.168.2.4	1.1.1.1	0xbff4	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:14.518748045 CET	192.168.2.4	1.1.1.1	0x6273	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.521095991 CET	192.168.2.4	1.1.1.1	0xc49d	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.528317928 CET	192.168.2.4	1.1.1.1	0x9832	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.563195944 CET	192.168.2.4	1.1.1.1	0x2e64	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 11:31:14.642915010 CET	192.168.2.4	1.1.1.1	0xda0f	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.643330097 CET	192.168.2.4	1.1.1.1	0x512d	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.650542021 CET	192.168.2.4	1.1.1.1	0xb706	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.753659964 CET	192.168.2.4	1.1.1.1	0xeb09	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.768899918 CET	192.168.2.4	1.1.1.1	0xfc9f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.776356936 CET	192.168.2.4	1.1.1.1	0x20cb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:16.175333023 CET	192.168.2.4	1.1.1.1	0xf67	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:16.186356068 CET	192.168.2.4	1.1.1.1	0xcaf1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:17.287448883 CET	192.168.2.4	1.1.1.1	0x7abe	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:17.299176931 CET	192.168.2.4	1.1.1.1	0x1929	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:17.309860945 CET	192.168.2.4	1.1.1.1	0xa912	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 11:31:18.492429018 CET	192.168.2.4	1.1.1.1	0x3068	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.525470018 CET	192.168.2.4	1.1.1.1	0x3fb3	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.525674105 CET	192.168.2.4	1.1.1.1	0x232e	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.525862932 CET	192.168.2.4	1.1.1.1	0xf939	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.534389973 CET	192.168.2.4	1.1.1.1	0x28ed	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.579530001 CET	192.168.2.4	1.1.1.1	0x5163	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.581842899 CET	192.168.2.4	1.1.1.1	0x7888	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:18.582130909 CET	192.168.2.4	1.1.1.1	0xc21e	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:18.590447903 CET	192.168.2.4	1.1.1.1	0xbcd7	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 31, 2024 11:31:18.591746092 CET	192.168.2.4	1.1.1.1	0x13f5	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.592031002 CET	192.168.2.4	1.1.1.1	0x2f34	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.603277922 CET	192.168.2.4	1.1.1.1	0x84a3	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.603277922 CET	192.168.2.4	1.1.1.1	0xd9c0	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.610781908 CET	192.168.2.4	1.1.1.1	0x53fd	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:18.611619949 CET	192.168.2.4	1.1.1.1	0x6f36	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 31, 2024 11:31:18.700840950 CET	192.168.2.4	1.1.1.1	0x9735	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.338202953 CET	192.168.2.4	1.1.1.1	0x7c22	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.406755924 CET	192.168.2.4	1.1.1.1	0x3d10	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.415770054 CET	192.168.2.4	1.1.1.1	0x4c1c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 11:31:22.589616060 CET	192.168.2.4	1.1.1.1	0x9a72	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.612521887 CET	192.168.2.4	1.1.1.1	0x3f0e	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.620440960 CET	192.168.2.4	1.1.1.1	0x8dae	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 11:31:22.813849926 CET	192.168.2.4	1.1.1.1	0x4b16	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.968044996 CET	192.168.2.4	1.1.1.1	0x5819	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:29.041757107 CET	192.168.2.4	1.1.1.1	0x8c33	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:35.368685961 CET	192.168.2.4	1.1.1.1	0x570d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:40.735434055 CET	192.168.2.4	1.1.1.1	0x2f77	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 11:31:40.763057947 CET	192.168.2.4	1.1.1.1	0x7f2a	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.771935940 CET	192.168.2.4	1.1.1.1	0xc6df	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.789664030 CET	192.168.2.4	1.1.1.1	0x3503	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 31, 2024 11:31:40.806197882 CET	192.168.2.4	1.1.1.1	0x7a6b	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.820957899 CET	192.168.2.4	1.1.1.1	0x74ef	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.836693048 CET	192.168.2.4	1.1.1.1	0xe589	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 11:31:56.032959938 CET	192.168.2.4	1.1.1.1	0x9944	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 11:32:10.882126093 CET	192.168.2.4	1.1.1.1	0x145	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 11:32:11.519532919 CET	192.168.2.4	1.1.1.1	0xf9a7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:32:36.660674095 CET	192.168.2.4	1.1.1.1	0x69f1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:32:37.093786001 CET	192.168.2.4	1.1.1.1	0x5d42	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 11:32:37.719535112 CET	192.168.2.4	1.1.1.1	0x337d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 11:31:11.720884085 CET	1.1.1.1	192.168.2.4	0x914a	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:11.758157969 CET	1.1.1.1	192.168.2.4	0x3f89	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:13.834474087 CET	1.1.1.1	192.168.2.4	0xfe0e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:13.834474087 CET	1.1.1.1	192.168.2.4	0xfe0e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:13.838176966 CET	1.1.1.1	192.168.2.4	0xf748	No error (0)	youtube.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:13.845202923 CET	1.1.1.1	192.168.2.4	0xa14	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:13.846275091 CET	1.1.1.1	192.168.2.4	0x8ea0	No error (0)	youtube.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:13.852921009 CET	1.1.1.1	192.168.2.4	0xd0a1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 11:31:13.856559038 CET	1.1.1.1	192.168.2.4	0xb580	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 31, 2024 11:31:14.483171940 CET	1.1.1.1	192.168.2.4	0x9fb2	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.484932899 CET	1.1.1.1	192.168.2.4	0x7a4	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:14.484932899 CET	1.1.1.1	192.168.2.4	0x7a4	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.492567062 CET	1.1.1.1	192.168.2.4	0x7a80	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.496125937 CET	1.1.1.1	192.168.2.4	0x9e8e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.525491953 CET	1.1.1.1	192.168.2.4	0x6273	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:14.525491953 CET	1.1.1.1	192.168.2.4	0x6273	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.528464079 CET	1.1.1.1	192.168.2.4	0xc49d	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:14.536356926 CET	1.1.1.1	192.168.2.4	0x9832	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.649934053 CET	1.1.1.1	192.168.2.4	0x512d	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.649934053 CET	1.1.1.1	192.168.2.4	0x512d	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.649986982 CET	1.1.1.1	192.168.2.4	0xda0f	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.657494068 CET	1.1.1.1	192.168.2.4	0xb706	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:14.657494068 CET	1.1.1.1	192.168.2.4	0xb706	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.760668993 CET	1.1.1.1	192.168.2.4	0xeb09	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:14.775815010 CET	1.1.1.1	192.168.2.4	0xfc9f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:15.183023930 CET	1.1.1.1	192.168.2.4	0x70bc	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:15.183023930 CET	1.1.1.1	192.168.2.4	0x70bc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:16.173934937 CET	1.1.1.1	192.168.2.4	0x12fc	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:16.182564974 CET	1.1.1.1	192.168.2.4	0xf67	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:17.296219110 CET	1.1.1.1	192.168.2.4	0x7abe	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:17.296219110 CET	1.1.1.1	192.168.2.4	0x7abe	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:17.296219110 CET	1.1.1.1	192.168.2.4	0x7abe	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:17.296355963 CET	1.1.1.1	192.168.2.4	0x2299	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:17.305949926 CET	1.1.1.1	192.168.2.4	0x1929	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:17.316550970 CET	1.1.1.1	192.168.2.4	0xa912	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.499346018 CET	1.1.1.1	192.168.2.4	0x3068	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532555103 CET	1.1.1.1	192.168.2.4	0x232e	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532555103 CET	1.1.1.1	192.168.2.4	0x232e	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.532804966 CET	1.1.1.1	192.168.2.4	0x3fb3	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.533704996 CET	1.1.1.1	192.168.2.4	0xf939	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:18.533704996 CET	1.1.1.1	192.168.2.4	0xf939	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.541721106 CET	1.1.1.1	192.168.2.4	0x28ed	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.587013006 CET	1.1.1.1	192.168.2.4	0x5163	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.588479996 CET	1.1.1.1	192.168.2.4	0x7888	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 31, 2024 11:31:18.588865042 CET	1.1.1.1	192.168.2.4	0xc21e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 11:31:18.588865042 CET	1.1.1.1	192.168.2.4	0xc21e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 11:31:18.588865042 CET	1.1.1.1	192.168.2.4	0xc21e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 11:31:18.588865042 CET	1.1.1.1	192.168.2.4	0xc21e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 11:31:18.597928047 CET	1.1.1.1	192.168.2.4	0xbcd7	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 31, 2024 11:31:18.598563910 CET	1.1.1.1	192.168.2.4	0x13f5	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:18.598563910 CET	1.1.1.1	192.168.2.4	0x13f5	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.598563910 CET	1.1.1.1	192.168.2.4	0x13f5	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.598563910 CET	1.1.1.1	192.168.2.4	0x13f5	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.598563910 CET	1.1.1.1	192.168.2.4	0x13f5	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.599020004 CET	1.1.1.1	192.168.2.4	0x2f34	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.610152006 CET	1.1.1.1	192.168.2.4	0xd9c0	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.610816002 CET	1.1.1.1	192.168.2.4	0x84a3	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.610816002 CET	1.1.1.1	192.168.2.4	0x84a3	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.610816002 CET	1.1.1.1	192.168.2.4	0x84a3	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.610816002 CET	1.1.1.1	192.168.2.4	0x84a3	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:18.707601070 CET	1.1.1.1	192.168.2.4	0x9735	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:18.707601070 CET	1.1.1.1	192.168.2.4	0x9735	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.345494032 CET	1.1.1.1	192.168.2.4	0x7c22	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:22.345494032 CET	1.1.1.1	192.168.2.4	0x7c22	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:22.345494032 CET	1.1.1.1	192.168.2.4	0x7c22	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.414006948 CET	1.1.1.1	192.168.2.4	0x3d10	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.597203016 CET	1.1.1.1	192.168.2.4	0x9a72	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:22.597203016 CET	1.1.1.1	192.168.2.4	0x9a72	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.619402885 CET	1.1.1.1	192.168.2.4	0x3f0e	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:22.821516037 CET	1.1.1.1	192.168.2.4	0x4b16	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.770531893 CET	1.1.1.1	192.168.2.4	0x7f2a	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.770531893 CET	1.1.1.1	192.168.2.4	0x7f2a	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.770531893 CET	1.1.1.1	192.168.2.4	0x7f2a	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.770531893 CET	1.1.1.1	192.168.2.4	0x7f2a	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.779012918 CET	1.1.1.1	192.168.2.4	0xc6df	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.779012918 CET	1.1.1.1	192.168.2.4	0xc6df	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.779012918 CET	1.1.1.1	192.168.2.4	0xc6df	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.779012918 CET	1.1.1.1	192.168.2.4	0xc6df	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.797352076 CET	1.1.1.1	192.168.2.4	0x3503	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 11:31:40.797352076 CET	1.1.1.1	192.168.2.4	0x3503	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 11:31:40.797352076 CET	1.1.1.1	192.168.2.4	0x3503	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 11:31:40.797352076 CET	1.1.1.1	192.168.2.4	0x3503	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 11:31:40.813245058 CET	1.1.1.1	192.168.2.4	0x7a6b	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:40.813245058 CET	1.1.1.1	192.168.2.4	0x7a6b	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:40.828371048 CET	1.1.1.1	192.168.2.4	0x74ef	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:31:42.030494928 CET	1.1.1.1	192.168.2.4	0xe3a0	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:31:42.030494928 CET	1.1.1.1	192.168.2.4	0xe3a0	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:32:10.866101980 CET	1.1.1.1	192.168.2.4	0x7306	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:32:11.526549101 CET	1.1.1.1	192.168.2.4	0xf9a7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:32:11.526549101 CET	1.1.1.1	192.168.2.4	0xf9a7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:32:37.092048883 CET	1.1.1.1	192.168.2.4	0x69f1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:32:37.726872921 CET	1.1.1.1	192.168.2.4	0x337d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:32:37.726872921 CET	1.1.1.1	192.168.2.4	0x337d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	2932	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 11:31:13.972526073 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:14.583197117 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81110 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49745	34.107.221.82	80	2932	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 11:31:14.671910048 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:15.274766922 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72481 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49750	34.107.221.82	80	2932	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 11:31:15.208693027 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:15.803575039 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81111 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:16.667185068 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:16.791667938 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81112 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:17.278256893 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:17.402618885 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81113 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:18.696418047 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:18.820612907 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81114 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:22.812447071 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:22.937350988 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81118 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:26.750792980 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:26.875216007 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81122 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:28.900255919 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:29.177747965 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81125 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:30.145780087 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:30.272218943 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81126 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:31.716851950 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:31.842256069 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81127 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:32.335048914 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:32.459712029 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81128 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:36.009424925 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:36.134294987 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81132 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:41.372792959 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:41.497385025 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81137 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:42.016951084 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:42.141243935 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81138 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:42.393749952 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:42.518758059 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81138 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:52.527091026 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:31:56.654452085 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:56.778925896 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81152 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:31:57.183456898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:31:57.307744026 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81153 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:32:07.316519976 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:32:11.519226074 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:32:11.644097090 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81167 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:32:21.659423113 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:32:31.674416065 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:32:37.719212055 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 11:32:37.844033957 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 81193 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 11:32:47.853821039 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:32:57.866513014 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:33:07.880937099 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49752	34.107.221.82	80	2932	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 11:31:16.169756889 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:16.773000002 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72482 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:17.194046021 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:17.319787979 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72483 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:17.903004885 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:18.029129028 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72483 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:22.344506979 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:22.470345974 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72488 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:25.117744923 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:25.244838953 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72491 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:28.321846962 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:28.642349005 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:29.056444883 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72494 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:29.228362083 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:29.354640007 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72495 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:30.280380964 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:30.406378031 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72496 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:31.845747948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:31.971497059 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72497 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:32.463643074 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:32.590698957 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72498 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:36.138258934 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:36.264215946 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72502 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:41.500927925 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:41.627888918 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72507 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:42.146871090 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:42.272826910 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72508 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:42.522442102 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:42.648644924 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72508 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:52.658627987 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:31:56.784353018 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:56.910891056 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72522 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:31:57.310811996 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:31:57.436916113 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72523 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:32:07.454834938 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:32:11.669761896 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:32:11.795905113 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72537 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:32:21.797595024 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:32:31.806024075 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:32:37.848931074 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 11:32:37.978744030 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 72563 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 11:32:47.992014885 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:32:58.004618883 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 11:33:08.012754917 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	06:31:05
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x890000
File size:	919'552 bytes
MD5 hash:	AD348D8FB166C6A092B4E7A111C49D91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:31:05
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xf80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:31:05
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:31:08
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xf80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:31:08
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:31:08
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xf80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:31:08
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:31:08
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xf80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:31:08
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x9c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:31:08
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xf80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:31:08
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:31:08
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:31:09
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:31:09
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	06:31:09
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f675acb6-0950-4792-885b-8e6118ba394d} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 200f2370f10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:31:11
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -parentBuildID 20230927232528 -prefsHandle 2744 -prefMapHandle 2740 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3f19b71-546d-4e76-a3b3-b98c452652e3} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 200821acb10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	06:31:14
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5208 -prefMapHandle 5204 -prefsLen 31336 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d24dd366-d783-4abb-ac2d-1b0d4e0a54d8} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 20083bf3510 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1550
Total number of Limit Nodes:	50

Executed Functions

Function 008942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0089430D

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

GetCurrentProcess.KERNEL32(?,0092CB64,00000000,?,?), ref: 00894422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00894429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00894454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00894466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00894474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0089447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008944A0

Strings

kernel32.dll, xrefs: 0089444F
|O, xrefs: 008D36F8
GetNativeSystemInfo, xrefs: 00894460

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: e6e8c91c67a134d179f10efc4d69acff229a1b7af6a45b1ac98273a158b6ebc4
Instruction ID: f5732391b7f7916f72b4b66045ca8a76db5452a8d05cd77d7685daaebd251d07
Opcode Fuzzy Hash: e6e8c91c67a134d179f10efc4d69acff229a1b7af6a45b1ac98273a158b6ebc4
Instruction Fuzzy Hash: 19A1936293E2C4DFCB11EB697C41D997FA4BB36304B0C59AEE043D3B22D2A04545FB66

Function 008942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008950AA,?,?,00000000,00000000), ref: 008942B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008950AA,?,?,00000000,00000000), ref: 008942C9
LoadResource.KERNEL32(?,00000000,?,?,008950AA,?,?,00000000,00000000,?,?,?,?,?,?,00894F20), ref: 008D35BE
SizeofResource.KERNEL32(?,00000000,?,?,008950AA,?,?,00000000,00000000,?,?,?,?,?,?,00894F20), ref: 008D35D3
LockResource.KERNEL32(008950AA,?,?,008950AA,?,?,00000000,00000000,?,?,?,?,?,?,00894F20,?), ref: 008D35E6

Strings

SCRIPT, xrefs: 008942BF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 722cc31f54d79353c35d48fafb97137e8766c9055d1aa4edd18e36e177c37fe4
Instruction ID: 36c29b97b35ca995d8b41e0a6bf7a53ba96efed019272d22a6b135acb64faace
Opcode Fuzzy Hash: 722cc31f54d79353c35d48fafb97137e8766c9055d1aa4edd18e36e177c37fe4
Instruction Fuzzy Hash: C2117CB0204701BFEB219BA5DC48F2B7BB9FFC5B51F248169B412D6650DBB2D8019620

Function 008D2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00892B6B

Part of subcall function 00893A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00961418,?,00892E7F,?,?,?,00000000), ref: 00893A78

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00952224), ref: 008D2C10
ShellExecuteW.SHELL32(00000000,?,?,00952224), ref: 008D2C17

Strings

runas, xrefs: 008D2C0B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a75f137429ccc6e546cb2b92730b78a10589ef22da7d6d48f967a8a05831debf
Instruction ID: f3c11519cd2310dc535d75e961109951e59dc850bcbb0ce3debd2f867ba52f9b
Opcode Fuzzy Hash: a75f137429ccc6e546cb2b92730b78a10589ef22da7d6d48f967a8a05831debf
Instruction Fuzzy Hash: D6119D31208305AACF14FF68D8529BE77E4FBA1355F4C042DF582D21A2DF618A0AA713

Function 008FD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008FD501
Process32FirstW.KERNEL32(00000000,?), ref: 008FD50F
Process32NextW.KERNEL32(00000000,?), ref: 008FD52F
CloseHandle.KERNELBASE(00000000), ref: 008FD5DC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f7564788a8623a3ced59afcd2ab383a6ecd7bc77a7f37527d27a8fa2b6111f61
Instruction ID: 398ecf5a17fa2f65301f8d9c8fb95b680798aadac7fd1883f329b4a97e9c5771
Opcode Fuzzy Hash: f7564788a8623a3ced59afcd2ab383a6ecd7bc77a7f37527d27a8fa2b6111f61
Instruction Fuzzy Hash: 8E318F710083049FD704EF68C881ABEBBE8FF99354F14092DF681C21A1EB61A949CB93

Function 008FDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,008D5222), ref: 008FDBCE
GetFileAttributesW.KERNELBASE(?), ref: 008FDBDD
FindFirstFileW.KERNEL32(?,?), ref: 008FDBEE
FindClose.KERNEL32(00000000), ref: 008FDBFA

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 476761b6a95da53a900b0d96930a4664c0500f224636899c162111bbe5fa74b5
Instruction ID: 58b7cc83b7dd4f0e6f5f35d57307f20504169087cedfc18db2ddbe18480dcaab
Opcode Fuzzy Hash: 476761b6a95da53a900b0d96930a4664c0500f224636899c162111bbe5fa74b5
Instruction Fuzzy Hash: ABF0A070829A189782306B78AC0E8BE376DEF01334B104702FA76C22E0EBB0995696D5

Function 008B4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008C28E9,?,008B4CBE,008C28E9,009588B8,0000000C,008B4E15,008C28E9,00000002,00000000,?,008C28E9), ref: 008B4D09
TerminateProcess.KERNEL32(00000000,?,008B4CBE,008C28E9,009588B8,0000000C,008B4E15,008C28E9,00000002,00000000,?,008C28E9), ref: 008B4D10
ExitProcess.KERNEL32 ref: 008B4D22

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 28bd50e1700a6f1f7fac639b3f9a6f3593eba117f202f37d4265638c44c2efea
Instruction ID: ac9d2f41ecca913903ecb96a9dd02bd8d3d5196de324e45a7c1de274bfa18a7c
Opcode Fuzzy Hash: 28bd50e1700a6f1f7fac639b3f9a6f3593eba117f202f37d4265638c44c2efea
Instruction Fuzzy Hash: 15E0B671014548ABCF21AF58ED0AE993B69FB41795B148418FC05CA223CB35DD52EB84

Function 0091AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0091B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0091B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0091B1D4
_wcslen.LIBCMT ref: 0091B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0091B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0091B236
_wcslen.LIBCMT ref: 0091B332

Part of subcall function 009005A7: GetStdHandle.KERNEL32(000000F6), ref: 009005C6

_wcslen.LIBCMT ref: 0091B34B
_wcslen.LIBCMT ref: 0091B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0091B3B6
GetLastError.KERNEL32(00000000), ref: 0091B407
CloseHandle.KERNEL32(?), ref: 0091B439
CloseHandle.KERNEL32(00000000), ref: 0091B44A
CloseHandle.KERNEL32(00000000), ref: 0091B45C
CloseHandle.KERNEL32(00000000), ref: 0091B46E
CloseHandle.KERNEL32(?), ref: 0091B4E3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e935460cfaa1004eea456579cd88f54caaedc81ae1d2f90b04ea877946d1cdef
Instruction ID: e1f57331e3e1e4fb281216a6fb182a54f5d0e609637066d53c2d0d97820a0b4b
Opcode Fuzzy Hash: e935460cfaa1004eea456579cd88f54caaedc81ae1d2f90b04ea877946d1cdef
Instruction Fuzzy Hash: 54F17D316082449FCB14EF28C891B6EBBE6FF85314F18895DF4959B2A2DB31DC45CB52

Function 0089D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0089D807
timeGetTime.WINMM ref: 0089DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0089DB28
TranslateMessage.USER32(?), ref: 0089DB7B
DispatchMessageW.USER32(?), ref: 0089DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0089DB9F
Sleep.KERNELBASE(0000000A), ref: 0089DBB1

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 9eca10ff4ecb50584f0728dd0410c5ee3ccb5381772f7364cd4805d91696d32c
Instruction ID: 36f033f7d097c5ddff28991221ac54b62f65b6530414f95ab7a47c321ef7f37a
Opcode Fuzzy Hash: 9eca10ff4ecb50584f0728dd0410c5ee3ccb5381772f7364cd4805d91696d32c
Instruction Fuzzy Hash: 41420070608345DFDB28EF29C844BAABBE4FF86314F18452DE556C72A1D770E844DB86

Function 00892CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00892D07
RegisterClassExW.USER32(00000030), ref: 00892D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00892D42
InitCommonControlsEx.COMCTL32(?), ref: 00892D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00892D6F
LoadIconW.USER32(000000A9), ref: 00892D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00892D94

Strings

AutoIt v3 GUI, xrefs: 00892D23
TaskbarCreated, xrefs: 00892D37
+, xrefs: 00892CF0
0, xrefs: 00892CE9

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9d263ce87585318c35fdb3f4c4721c03d40907a3be102a645db3d041058b1559
Instruction ID: d8e75c74054c9b484bf86a0e4b0cc68cda9cbea8fb14f83711172fb8153c22c3
Opcode Fuzzy Hash: 9d263ce87585318c35fdb3f4c4721c03d40907a3be102a645db3d041058b1559
Instruction Fuzzy Hash: 5721F4B5D69318AFDB10DFA4EC49BDDBBB8FB08701F04411AF611A62A0D7B10545EF91

Function 008D065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D039A: CreateFileW.KERNELBASE(00000000,00000000,?,008D0704,?,?,00000000,?,008D0704,00000000,0000000C), ref: 008D03B7

GetLastError.KERNEL32 ref: 008D076F
__dosmaperr.LIBCMT ref: 008D0776
GetFileType.KERNELBASE(00000000), ref: 008D0782
GetLastError.KERNEL32 ref: 008D078C
__dosmaperr.LIBCMT ref: 008D0795
CloseHandle.KERNEL32(00000000), ref: 008D07B5
CloseHandle.KERNEL32(?), ref: 008D08FF
GetLastError.KERNEL32 ref: 008D0931
__dosmaperr.LIBCMT ref: 008D0938

Strings

H, xrefs: 008D08BD

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0b574bec533af784935a02d02adb354ff64fc9e2adab930d955f6cdbcf702167
Instruction ID: 119ccab581df7f2a219d5ea48e8946f6132d39bc56b26764d01f581f0549dd4d
Opcode Fuzzy Hash: 0b574bec533af784935a02d02adb354ff64fc9e2adab930d955f6cdbcf702167
Instruction Fuzzy Hash: 8AA1F332A141089FDF19AF68DC91BAE7BA0FB46324F14025EF815DF392D6719812DF92

Function 0089344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00893A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00961418,?,00892E7F,?,?,?,00000000), ref: 00893A78

Part of subcall function 00893357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00893379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0089356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008D318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008D31CE
RegCloseKey.ADVAPI32(?), ref: 008D3210
_wcslen.LIBCMT ref: 008D3277
_wcslen.LIBCMT ref: 008D3286

Strings

\Include\, xrefs: 00893527
Software\AutoIt v3\AutoIt, xrefs: 00893560
\, xrefs: 008D328C
Include, xrefs: 008D3184, 008D31C5

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 0c04d0d60f291962b39834b1dc7d50341e3ea001c3f0e77836e320b4bc66d925
Instruction ID: 28b2afaf81e98b32615296baf8ab3e6081c5133bae45c7e4f4c5896b4e2a66f0
Opcode Fuzzy Hash: 0c04d0d60f291962b39834b1dc7d50341e3ea001c3f0e77836e320b4bc66d925
Instruction Fuzzy Hash: 1571C0714187019EC714EF69EC82C6BBBE8FF95B40F44092EF585C32A0EB708A48DB52

Function 00892B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00892B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00892B9D
LoadIconW.USER32(00000063), ref: 00892BB3
LoadIconW.USER32(000000A4), ref: 00892BC5
LoadIconW.USER32(000000A2), ref: 00892BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00892BEF
RegisterClassExW.USER32(?), ref: 00892C40

Part of subcall function 00892CD4: GetSysColorBrush.USER32(0000000F), ref: 00892D07
Part of subcall function 00892CD4: RegisterClassExW.USER32(00000030), ref: 00892D31
Part of subcall function 00892CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00892D42
Part of subcall function 00892CD4: InitCommonControlsEx.COMCTL32(?), ref: 00892D5F
Part of subcall function 00892CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00892D6F
Part of subcall function 00892CD4: LoadIconW.USER32(000000A9), ref: 00892D85
Part of subcall function 00892CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00892D94

Strings

0, xrefs: 00892C0F
#, xrefs: 00892C16
AutoIt v3, xrefs: 00892C2F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: dae07537430594fac7219fbbffe6d229305b5dbb01ede552acd4727e1e41d7d9
Instruction ID: 23af842c03e8c5830eeea6cdf59829ea097ba2a58d5c38de74b6df0bf62aaab1
Opcode Fuzzy Hash: dae07537430594fac7219fbbffe6d229305b5dbb01ede552acd4727e1e41d7d9
Instruction Fuzzy Hash: 782109B4E28314ABDB109FA5EC55E9D7FB4FB48B50F48001EE501A67A0D7F14640EF90

Function 00893170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0089316A,?,?), ref: 008931D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0089316A,?,?), ref: 00893204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00893227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0089316A,?,?), ref: 00893232
CreatePopupMenu.USER32 ref: 00893246
PostQuitMessage.USER32(00000000), ref: 00893267

Strings

TaskbarCreated, xrefs: 0089322D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 85dbc354e9583e27a8944e6655cf7c1c1c7427f6ea821a9dfa50be8d90f465b3
Instruction ID: 3a6925981b7f8a7f14ad14ecfbbb06f0ac2e985d85b9d33a8cd68b61d3fd401c
Opcode Fuzzy Hash: 85dbc354e9583e27a8944e6655cf7c1c1c7427f6ea821a9dfa50be8d90f465b3
Instruction Fuzzy Hash: 1F41F731258208A7DF253BB89D0DB7D375AFB05345F0C012AF512D67B1CBA19A41A7A2

Function 00891410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00891459
CoUninitialize.COMBASE ref: 008914F8
UnregisterHotKey.USER32(?), ref: 008916DD
DestroyWindow.USER32(?), ref: 008D24B9
FreeLibrary.KERNEL32(?), ref: 008D251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008D254B

Strings

close all, xrefs: 00891454

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 81f3607f4f3eb1cb6adf5b209c5c8c33dae6a61bcf968fa5b7a6c0964f52c70c
Instruction ID: 35e1daf44358ee6d9c0f71aa001b4afc0787b7cc3c33fa547ccbf9e19d044cb7
Opcode Fuzzy Hash: 81f3607f4f3eb1cb6adf5b209c5c8c33dae6a61bcf968fa5b7a6c0964f52c70c
Instruction Fuzzy Hash: CED17A306052128FDF29EF58D899A28F7A4FF15710F1942AEE54AEB352CB30AC12CF51

Function 00892C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00892C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00892CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00891CAD,?), ref: 00892CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00891CAD,?), ref: 00892CCF

Strings

edit, xrefs: 00892CAC
AutoIt v3, xrefs: 00892C89, 00892C8E, 00892C8F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5d688989f4328e9c6191431fe38cd3234dda0d94da89d1664a35ca2731dd0e44
Instruction ID: 16086661ea0bb5467170e13aa6e4ded9668d2ab2685a79c4ed768fc568a9c398
Opcode Fuzzy Hash: 5d688989f4328e9c6191431fe38cd3234dda0d94da89d1664a35ca2731dd0e44
Instruction Fuzzy Hash: F2F0FEB55643907AEB711717AC08E7B3EBDD7CAF50F04005EF901A36A0C6B11851FAB1

Function 00893B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00893B0F,SwapMouseButtons,00000004,?), ref: 00893B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00893B0F,SwapMouseButtons,00000004,?), ref: 00893B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00893B0F,SwapMouseButtons,00000004,?), ref: 00893B83

Strings

Control Panel\Mouse, xrefs: 00893B3E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 74dff3abd12816532a9f2a4981b459ca14873aba5954229fb5d068bd7bef8bf4
Instruction ID: 86e8bfc48efd9721b9eaffcbc13740dbd8ea730302b4055da9ac2f5be9c5e1d4
Opcode Fuzzy Hash: 74dff3abd12816532a9f2a4981b459ca14873aba5954229fb5d068bd7bef8bf4
Instruction Fuzzy Hash: 97112AB5520208FFDF209FA5DC44EAEB7B8FF05754B144459A805D7210D2719E41A7A0

Function 00893923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008D33A2

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00893A04

Strings

Line: , xrefs: 008D33EB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ab1c9eee82a608ff585583c52ab65e3ccefd8297a3a7ada488433ac24984fa99
Instruction ID: a3024f1789a461adda91fbd15b40ce8b9cc6e7825fb59294a48ea318d79cf24b
Opcode Fuzzy Hash: ab1c9eee82a608ff585583c52ab65e3ccefd8297a3a7ada488433ac24984fa99
Instruction Fuzzy Hash: 24319E71408304AACB25FB24DC45BEBB7E8FB45714F08452EF59AD2291EBB09A4897C3

Function 008AFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 008B0668

Part of subcall function 008B32A4: RaiseException.KERNEL32(?,?,?,008B068A,?,00961444,?,?,?,?,?,?,008B068A,00891129,00958738,00891129), ref: 008B3304

__CxxThrowException@8.LIBVCRUNTIME ref: 008B0685

Strings

Unknown exception, xrefs: 008B0692

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: cae41efc5f43434e1d54b72f41f009ef58a62cf49f23474686318fb490d0a5ba
Instruction ID: 00b10530fef9474ccab8bf72a0560d0463bf983825b11f5031a3c560354be037
Opcode Fuzzy Hash: cae41efc5f43434e1d54b72f41f009ef58a62cf49f23474686318fb490d0a5ba
Instruction Fuzzy Hash: 5FF0C23490030D778F10B6A8D846CDF776CFE51354B604131B914E6AA2EF71EA29CE82

Function 008910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00891BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00891BF4
Part of subcall function 00891BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00891BFC
Part of subcall function 00891BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00891C07
Part of subcall function 00891BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00891C12
Part of subcall function 00891BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00891C1A
Part of subcall function 00891BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00891C22

Part of subcall function 00891B4A: RegisterWindowMessageW.USER32(00000004,?,008912C4), ref: 00891BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0089136A
OleInitialize.OLE32 ref: 00891388
CloseHandle.KERNEL32(00000000,00000000), ref: 008D24AB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e4ef9a378b64ceeac4b2a8dc42e05058c207cda55dee0476c47d85ddac027789
Instruction ID: 0d620dbd461a26656187f62bdc0be0d2c1a0ff9f6a06bcc9b71b5d8dd89a5b71
Opcode Fuzzy Hash: e4ef9a378b64ceeac4b2a8dc42e05058c207cda55dee0476c47d85ddac027789
Instruction Fuzzy Hash: CD719EB89293018FCB94EF7EA945659BAE5FB8834475C812EE01BC7271EBB04441FF46

Function 008FC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00893923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00893A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008FC259
KillTimer.USER32(?,00000001,?,?), ref: 008FC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008FC270

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 6dd7f2f48ef0ec329a65627a81660d453c7b5f1ec17ab1c2e7b152e821a0a0db
Instruction ID: 21d20694b62bce18437a5170261195a419c7d0bd5718d9bee1e17d384bbe80c2
Opcode Fuzzy Hash: 6dd7f2f48ef0ec329a65627a81660d453c7b5f1ec17ab1c2e7b152e821a0a0db
Instruction Fuzzy Hash: FA31507090434CAFEB329B748955BEABBECEB06308F04049AD69AA7241C7745B85DB51

Function 008C86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008C85CC,?,00958CC8,0000000C), ref: 008C8704
GetLastError.KERNEL32(?,008C85CC,?,00958CC8,0000000C), ref: 008C870E
__dosmaperr.LIBCMT ref: 008C8739

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 35c035248079ffd473162e05b4480642cc588d6ffa3bdb1937ac82ec6d47ae49
Instruction ID: 4455a974d03749d28d6183481873a8d493c017a93db1ac32bb241528dc2e726f
Opcode Fuzzy Hash: 35c035248079ffd473162e05b4480642cc588d6ffa3bdb1937ac82ec6d47ae49
Instruction Fuzzy Hash: CE012F32645560A6D62462385C49F7F6775EB92778F35021DF814CB2D2DEB0DCC19151

Function 0089DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0089DB7B
DispatchMessageW.USER32(?), ref: 0089DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0089DB9F
Sleep.KERNELBASE(0000000A), ref: 0089DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 008E1CC9

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: f9dd338e5dc12beefce4b45ecac8ec0f5fbe02f4a2cf4a5e75eaa5410fdf064b
Instruction ID: 6fee235694796d97a6790c2d6d94b5fd0da2f401dd90345bf4cea248f06a700e
Opcode Fuzzy Hash: f9dd338e5dc12beefce4b45ecac8ec0f5fbe02f4a2cf4a5e75eaa5410fdf064b
Instruction Fuzzy Hash: 1FF05E706183809BEB30DB608C49FAA73ACFB45310F144A29E60AD30C0DB70A4899B25

Function 008A1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008A17F6

Strings

CALL, xrefs: 008A17C6

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: c5c6985d61383b6b0fca3868952c5a79f5141a4d8d1b7368fc620fdd250fe6cd
Instruction ID: 39f7d20a374ba6fdc236f09954c1bcec1e20a563a46046332b58b72099b3c0cf
Opcode Fuzzy Hash: c5c6985d61383b6b0fca3868952c5a79f5141a4d8d1b7368fc620fdd250fe6cd
Instruction Fuzzy Hash: 6B228C706082419FEB14DF19C484A2ABBF1FF96354F18892DF496CB7A2D771E851CB82

Function 00892DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 008D2C8C

Part of subcall function 00893AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00893A97,?,?,00892E7F,?,?,?,00000000), ref: 00893AC2

Part of subcall function 00892DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00892DC4

Strings

X, xrefs: 008D2C5A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 0ed4b96ec2f376f98325954ae7161ed82275fbaccc16508ae0fcd50754671f65
Instruction ID: c91f5a0d5cb40f5cf315136829a709ea0c671cc117148384939478fe7b9c2347
Opcode Fuzzy Hash: 0ed4b96ec2f376f98325954ae7161ed82275fbaccc16508ae0fcd50754671f65
Instruction Fuzzy Hash: A421C371A10258AFCF01EF98C845BEE7BF8FF48315F04405AE405E7341EBB45A498BA2

Function 00893837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00893908

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 76eeb17d8f5ac7cca37728bc77b0428c05ab2cc0ee0212be830e7654709b401c
Instruction ID: 21b7b6c13e7dca0bdeaa9d30f2006a82c792022f004b200fea3035caf123ef8f
Opcode Fuzzy Hash: 76eeb17d8f5ac7cca37728bc77b0428c05ab2cc0ee0212be830e7654709b401c
Instruction Fuzzy Hash: 9831A5706083019FD720EF64D884B97BBE4FB49708F04092EF59AD7350E7B1AA44DB92

Function 008AF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008AF661

Part of subcall function 0089D730: GetInputState.USER32 ref: 0089D807

Sleep.KERNEL32(00000000), ref: 008EF2DE

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: a675b1a033f6235f664c23328275181cac2081557ea2ccda77eacdbbea1cd846
Instruction ID: 9443d75bbc372ee0309d6825cca68b0b25adca336c7c5b45d969006b2dfab4b9
Opcode Fuzzy Hash: a675b1a033f6235f664c23328275181cac2081557ea2ccda77eacdbbea1cd846
Instruction Fuzzy Hash: D7F0A071244605AFD310FFB9E549B6AB7E8FF46761F000029F959C7361DB70A800CB92

Function 00894ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00894E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00894EDD,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E9C
Part of subcall function 00894E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00894EAE
Part of subcall function 00894E90: FreeLibrary.KERNEL32(00000000,?,?,00894EDD,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894EFD

Part of subcall function 00894E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008D3CDE,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E62
Part of subcall function 00894E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00894E74
Part of subcall function 00894E59: FreeLibrary.KERNEL32(00000000,?,?,008D3CDE,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E87

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 8b69a12b74fbf73204574a310d78d0e6325e19c693a9ea0a1735fd059f9da5e9
Instruction ID: e6d1266c9f54773a2ef5d36a5a908c7b38ecdc95044cdbf7dc929844049cdcbc
Opcode Fuzzy Hash: 8b69a12b74fbf73204574a310d78d0e6325e19c693a9ea0a1735fd059f9da5e9
Instruction Fuzzy Hash: 5F11E332610206AACF24BF68DC02FAD77A5FF40754F14842EF542E62D1EE709A069752

Function 008C8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 008C8440

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a9b92e1c562d6b3542e86ac429d90e992d1faa678ce17fd50cc4528eba1f4b00
Instruction ID: a5083a7febc39ae3059187483c17c341bf574336568f2d1a24e197245a54617f
Opcode Fuzzy Hash: a9b92e1c562d6b3542e86ac429d90e992d1faa678ce17fd50cc4528eba1f4b00
Instruction Fuzzy Hash: 1911067590410AEFCB09DF58E941E9A7BF9FF48314F154069F808EB312DA31DA118BA5

Function 008C5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008C4C7D: RtlAllocateHeap.NTDLL(00000008,00891129,00000000,?,008C2E29,00000001,00000364,?,?,?,008BF2DE,008C3863,00961444,?,008AFDF5,?), ref: 008C4CBE

_free.LIBCMT ref: 008C506C

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 800f1f7c456e79f56497951ae311af87e7a36e2de5bd512f15f5061af29902c0
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 3A012672204B046BE721CE699881F5AFBF8FB89370F25051DE584C32C0EA30E845C6B4

Function 008BE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 236fea34805a80266800176e8e5155fe3b2efefbbcda6b351d84c8fb41a8b388
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: BFF06D32511A14AED6312A6D9C05FDA27A8FF62335F100619F925D23D2DA74E805C6A6

Function 008C4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00891129,00000000,?,008C2E29,00000001,00000364,?,?,?,008BF2DE,008C3863,00961444,?,008AFDF5,?), ref: 008C4CBE

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25384aaacff44599c3c2433ed6397a438204bdd454abe9cf8238d0f3b3d78cc1
Instruction ID: f36917f3ed5f5642b8eae424ddf131f7450b4de76af5236e8e680b7d08e47aff
Opcode Fuzzy Hash: 25384aaacff44599c3c2433ed6397a438204bdd454abe9cf8238d0f3b3d78cc1
Instruction Fuzzy Hash: E9F0243160622467DB201F269C16F9A37A8FF403B0B046119FC05E62A1CAB0D84042E0

Function 008C3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6,?,00891129), ref: 008C3852

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e15aabee7f0bb796454bc579a3ce4538746a1ccb5e24f49a774eee475aa23e54
Instruction ID: 592a268a774d07c1c6a910e22b1cf780f33aa0ee79b99d2f2defffefe2a13e65
Opcode Fuzzy Hash: e15aabee7f0bb796454bc579a3ce4538746a1ccb5e24f49a774eee475aa23e54
Instruction Fuzzy Hash: FEE0E53110822457E6312A6A9C02FDA3778FB427B0F058038BC15D2692CB70DE0385E1

Function 00894F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894F6D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 39bb8375506e9b740dfd34883b87de1cf7188290e5e5cbcc4081d5cd7fa63afc
Instruction ID: 7542eecfd74a6ae9487c1846a06ffbf89a5899d8ff3738e22445fde5df442b6e
Opcode Fuzzy Hash: 39bb8375506e9b740dfd34883b87de1cf7188290e5e5cbcc4081d5cd7fa63afc
Instruction Fuzzy Hash: 4FF015B1109752CFDB34AF64D494C66BBE4FF143293289A6EE1EAC2621CB319845DB10

Function 00922A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00922A66

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 5d794e7c05b90300d0257439a579b175334b0082031c73221653184d262b88b7
Instruction ID: aa5fa0a211dea0612f0ae67b717935d25007c3c7b3e8d5ecd2d40c1b5f06e6b2
Opcode Fuzzy Hash: 5d794e7c05b90300d0257439a579b175334b0082031c73221653184d262b88b7
Instruction Fuzzy Hash: 16E0DF3235422ABAC710EB30EC809FE734CEB543907100536AC16C2590DB34998182A0

Function 008930F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0089314E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: aeb6b2a8347423c4c856e98b3b5d9350afb559f579edec67031cf192d6714624
Instruction ID: b2ae2000cba55576ddd15721df82509998a945e6a00fab1e727aa7277b30d08f
Opcode Fuzzy Hash: aeb6b2a8347423c4c856e98b3b5d9350afb559f579edec67031cf192d6714624
Instruction Fuzzy Hash: A7F0A7709183049FEB52AB24DC45BDA7BFCB701708F0400E9E149D6391D7B05788DF81

Function 00892DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00892DC4

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 9e9a83864cb6431eb5bb39d28425194e25c5b646d4edc222299dca02119108fd
Instruction ID: 22dae07b4a1793604007a3ca8e436f36228cf0272beddce6e0b419be6a5024a0
Opcode Fuzzy Hash: 9e9a83864cb6431eb5bb39d28425194e25c5b646d4edc222299dca02119108fd
Instruction Fuzzy Hash: F4E0CD726041245BCB20A39CDC05FDA77DDEFC8790F040171FD09D7248ED60ED848551

Function 00892B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00893837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00893908

Part of subcall function 0089D730: GetInputState.USER32 ref: 0089D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00892B6B

Part of subcall function 008930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0089314E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 6f06e02803a0524bb4e4f2f6ff81353edeca4508b7005711d0a38faf5629ddfa
Instruction ID: b98a53f69119ddb04c254cc7230c53cc1c5707674e02e5c28968940bd2ead9e8
Opcode Fuzzy Hash: 6f06e02803a0524bb4e4f2f6ff81353edeca4508b7005711d0a38faf5629ddfa
Instruction Fuzzy Hash: CEE0862130434416CE18BB7D985257DA799FBD5351F4C153EF146D3172DE6445454253

Function 008D039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,008D0704,?,?,00000000,?,008D0704,00000000,0000000C), ref: 008D03B7

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f6fb27f156d3203d4ebc8efb55de492b22e4c2461b81ff4d83132a1aecf4fe96
Instruction ID: fa79bcd366218414ed4a0a73c82ecf08c83433f5f4f99570275048d5f769fec2
Opcode Fuzzy Hash: f6fb27f156d3203d4ebc8efb55de492b22e4c2461b81ff4d83132a1aecf4fe96
Instruction Fuzzy Hash: F8D06C3205410DBBDF129F84DD06EDA3BAAFB48714F014000BE1856021C732E832AB90

Function 00891CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00891CBC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: f29f214c0c3596f4df1ae9b8f0e0985eed36f7c5530a3a0ddc0d4fa557bf138b
Instruction ID: 92963e06b4f375e39d97179305db82b64f417297f3a27d8cbc09edb8539fa819
Opcode Fuzzy Hash: f29f214c0c3596f4df1ae9b8f0e0985eed36f7c5530a3a0ddc0d4fa557bf138b
Instruction Fuzzy Hash: 0CC092362AC304AFF3248B80BC4AF147764A758B00F088005F60AA96E3C3E26820FA90

Non-executed Functions

Function 00929576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0092961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0092965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0092969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009296C9
SendMessageW.USER32 ref: 009296F2
GetKeyState.USER32(00000011), ref: 0092978B
GetKeyState.USER32(00000009), ref: 00929798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009297AE
GetKeyState.USER32(00000010), ref: 009297B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009297E9
SendMessageW.USER32 ref: 00929810
SendMessageW.USER32(?,00001030,?,00927E95), ref: 00929918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0092992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00929941
SetCapture.USER32(?), ref: 0092994A
ClientToScreen.USER32(?,?), ref: 009299AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009299BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009299D6
ReleaseCapture.USER32 ref: 009299E1
GetCursorPos.USER32(?), ref: 00929A19
ScreenToClient.USER32(?,?), ref: 00929A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00929A80
SendMessageW.USER32 ref: 00929AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00929AEB
SendMessageW.USER32 ref: 00929B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00929B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00929B4A
GetCursorPos.USER32(?), ref: 00929B68
ScreenToClient.USER32(?,?), ref: 00929B75
GetParent.USER32(?), ref: 00929B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00929BFA
SendMessageW.USER32 ref: 00929C2B
ClientToScreen.USER32(?,?), ref: 00929C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00929CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00929CDE
SendMessageW.USER32 ref: 00929D01
ClientToScreen.USER32(?,?), ref: 00929D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00929D82

Part of subcall function 008A9944: GetWindowLongW.USER32(?,000000EB), ref: 008A9952

GetWindowLongW.USER32(?,000000F0), ref: 00929E05

Strings

@GUI_DRAGID, xrefs: 0092997D
F, xrefs: 00929D07

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 433778318564e539dd0b2b913c6c8d4395f7a85240f76fc14a06d5c860623896
Instruction ID: 4813a71111500988038904f46280012160892ce3022712ce4ccc4c092347e004
Opcode Fuzzy Hash: 433778318564e539dd0b2b913c6c8d4395f7a85240f76fc14a06d5c860623896
Instruction Fuzzy Hash: E242DD70208211AFDB24CF28EC44EAABBE9FF49314F140A1DF699872A4D731E851DF52

Function 00924873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009248F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00924908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00924927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0092494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0092495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0092497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009249AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009249D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00924A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00924A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00924A7E
IsMenu.USER32(?), ref: 00924A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00924AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00924B20
GetWindowLongW.USER32(?,000000F0), ref: 00924B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00924BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00924C82
wsprintfW.USER32 ref: 00924CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00924CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00924CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00924D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00924D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00924D5A

Strings

%d/%02d/%02d, xrefs: 00924CA8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 645fb5711935c2848035cc5d7b4b0f56796dd68433f5f07534500fc2f5fdcadf
Instruction ID: 00e3a2984b55572b9fe2dc53d9598838d605c742406f20c8362de4444b75b01f
Opcode Fuzzy Hash: 645fb5711935c2848035cc5d7b4b0f56796dd68433f5f07534500fc2f5fdcadf
Instruction Fuzzy Hash: 9212F171600225ABEB248F28EC49FAE7BF8FF85710F104529F516EB2E5DB789941CB50

Function 008AF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 008AF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008EF474
IsIconic.USER32(00000000), ref: 008EF47D
ShowWindow.USER32(00000000,00000009), ref: 008EF48A
SetForegroundWindow.USER32(00000000), ref: 008EF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008EF4AA
GetCurrentThreadId.KERNEL32 ref: 008EF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008EF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 008EF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 008EF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 008EF4DE
SetForegroundWindow.USER32(00000000), ref: 008EF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 008EF4F6
keybd_event.USER32(00000012,00000000), ref: 008EF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 008EF50B
keybd_event.USER32(00000012,00000000), ref: 008EF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 008EF519
keybd_event.USER32(00000012,00000000), ref: 008EF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 008EF528
keybd_event.USER32(00000012,00000000), ref: 008EF52D
SetForegroundWindow.USER32(00000000), ref: 008EF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 008EF557

Strings

Shell_TrayWnd, xrefs: 008EF46F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 939ede3ac10b7bf312df9464f4d0b76f07cc67f2253a0124c9b089faefe00293
Instruction ID: 0d55460cdbaedcab1cb441cb2fbc0c6ad2cb1090a77230e2aa4850ff5a608461
Opcode Fuzzy Hash: 939ede3ac10b7bf312df9464f4d0b76f07cc67f2253a0124c9b089faefe00293
Instruction Fuzzy Hash: D53130B1A54218BAEB316BB65C4AFBF7E6CFB45B50F100065FA01E61D1C6B19901BBA0

Function 008F1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008F170D
Part of subcall function 008F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008F173A
Part of subcall function 008F16C3: GetLastError.KERNEL32 ref: 008F174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 008F1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008F12A8
CloseHandle.KERNEL32(?), ref: 008F12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008F12D1
GetProcessWindowStation.USER32 ref: 008F12EA
SetProcessWindowStation.USER32(00000000), ref: 008F12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008F1310

Part of subcall function 008F10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008F11FC), ref: 008F10D4
Part of subcall function 008F10BF: CloseHandle.KERNEL32(?,?,008F11FC), ref: 008F10E9

Strings

, xrefs: 008F125A
winsta0, xrefs: 008F12CC
default, xrefs: 008F130B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: ccf5ed1f73eb5e8c8cb3e45887d80c5727b31165a42e49e746942bec186b0ea3
Instruction ID: a6ae81dcb3d6b9ae1f8e9f51531b02ecb589c112b293cdad1d7f72fd99b0343c
Opcode Fuzzy Hash: ccf5ed1f73eb5e8c8cb3e45887d80c5727b31165a42e49e746942bec186b0ea3
Instruction Fuzzy Hash: 608188B1900209EBDF249FA8CC89BFE7BBAFF44704F144129FA11E62A1D7308955DB65

Function 008F0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008F1114
Part of subcall function 008F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1120
Part of subcall function 008F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F112F
Part of subcall function 008F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1136
Part of subcall function 008F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008F0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008F0C00
GetLengthSid.ADVAPI32(?), ref: 008F0C17
GetAce.ADVAPI32(?,00000000,?), ref: 008F0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008F0C6D
GetLengthSid.ADVAPI32(?), ref: 008F0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008F0C8C
HeapAlloc.KERNEL32(00000000), ref: 008F0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008F0CB4
CopySid.ADVAPI32(00000000), ref: 008F0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008F0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008F0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008F0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0D45
HeapFree.KERNEL32(00000000), ref: 008F0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0D55
HeapFree.KERNEL32(00000000), ref: 008F0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0D65
HeapFree.KERNEL32(00000000), ref: 008F0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 008F0D78
HeapFree.KERNEL32(00000000), ref: 008F0D7F

Part of subcall function 008F1193: GetProcessHeap.KERNEL32(00000008,008F0BB1,?,00000000,?,008F0BB1,?), ref: 008F11A1
Part of subcall function 008F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008F0BB1,?), ref: 008F11A8
Part of subcall function 008F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008F0BB1,?), ref: 008F11B7

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3273f70116be7978fe8e1d29911112cc4e5e17182c002ec48db7ae0513357611
Instruction ID: 8ead7a390e6ac9483ddd1f21660ab863d80b75e5e3f9e38af61572c3d40a6a70
Opcode Fuzzy Hash: 3273f70116be7978fe8e1d29911112cc4e5e17182c002ec48db7ae0513357611
Instruction Fuzzy Hash: 52714BB190420EAFDF209FA4DC45BBEBBB9FF04300F144615EA14E6192D775A906DFA0

Function 0090EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0092CC08), ref: 0090EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0090EB37
GetClipboardData.USER32(0000000D), ref: 0090EB43
CloseClipboard.USER32 ref: 0090EB4F
GlobalLock.KERNEL32(00000000), ref: 0090EB87
CloseClipboard.USER32 ref: 0090EB91
GlobalUnlock.KERNEL32(00000000), ref: 0090EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0090EBC9
GetClipboardData.USER32(00000001), ref: 0090EBD1
GlobalLock.KERNEL32(00000000), ref: 0090EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0090EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0090EC38
GetClipboardData.USER32(0000000F), ref: 0090EC44
GlobalLock.KERNEL32(00000000), ref: 0090EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0090EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0090EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0090ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0090ECF3
CountClipboardFormats.USER32 ref: 0090ED14
CloseClipboard.USER32 ref: 0090ED59

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9048e19f288e93fbede0535f15b1d7e222f90ee9707be114ed568965599dc440
Instruction ID: 06468242b05d62336b0aa1172c376154ce933b29569b021ea41e497768a597d3
Opcode Fuzzy Hash: 9048e19f288e93fbede0535f15b1d7e222f90ee9707be114ed568965599dc440
Instruction Fuzzy Hash: 4861AE752082029FD710EF28D895F2A77A8FF84704F18491DF496D72E1DB31E946DBA2

Function 0090698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009069BE
FindClose.KERNEL32(00000000), ref: 00906A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00906A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00906A75

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00906AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00906ADF

Strings

%4d, xrefs: 00906BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00906B32
%03d, xrefs: 00906DA2
%02d, xrefs: 00906C00, 00906C0A, 00906C5A, 00906CAA, 00906CFA, 00906D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00906B6A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f68005460cc8593ca36fa0ff27de0bbd726fc8dd93c986ee4c54b0cbaab05c78
Instruction ID: 2783f8369899f9ff4257ff579e11e2332935a968bf793d62b2a3b93f0dd45f70
Opcode Fuzzy Hash: f68005460cc8593ca36fa0ff27de0bbd726fc8dd93c986ee4c54b0cbaab05c78
Instruction Fuzzy Hash: 3BD13DB2508300AEC714EBA8C881EABB7ECFF98704F44491DF595D6191EB74DA44CB63

Function 00909642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00909663
GetFileAttributesW.KERNEL32(?), ref: 009096A1
SetFileAttributesW.KERNEL32(?,?), ref: 009096BB
FindNextFileW.KERNEL32(00000000,?), ref: 009096D3
FindClose.KERNEL32(00000000), ref: 009096DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009096FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0090974A
SetCurrentDirectoryW.KERNEL32(00956B7C), ref: 00909768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00909772
FindClose.KERNEL32(00000000), ref: 0090977F
FindClose.KERNEL32(00000000), ref: 0090978F

Strings

*.*, xrefs: 009096F5

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2edc2916c54b7509977beb095adc86823311e9667b36fb9e1a85f310be22fdd2
Instruction ID: d800dfdb194ec595b4273aec75985798057a7268eac5e734f9a91fcad8cf6507
Opcode Fuzzy Hash: 2edc2916c54b7509977beb095adc86823311e9667b36fb9e1a85f310be22fdd2
Instruction Fuzzy Hash: F1310272545219AECF20EFB4EC09ADE77ACAF49321F104155F814E31E1DB31DE458B50

Function 0090979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009097BE
FindNextFileW.KERNEL32(00000000,?), ref: 00909819
FindClose.KERNEL32(00000000), ref: 00909824
FindFirstFileW.KERNEL32(*.*,?), ref: 00909840
SetCurrentDirectoryW.KERNEL32(?), ref: 00909890
SetCurrentDirectoryW.KERNEL32(00956B7C), ref: 009098AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009098B8
FindClose.KERNEL32(00000000), ref: 009098C5
FindClose.KERNEL32(00000000), ref: 009098D5

Part of subcall function 008FDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008FDB00

Strings

*.*, xrefs: 0090983B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 37877ce5bf4c25a522678b5bff5c284880b860615f8654589812e0508696652d
Instruction ID: 694e555a289080af42f0f75ce0f9eae0a45f05e4d7056f327ab9fca92be8527d
Opcode Fuzzy Hash: 37877ce5bf4c25a522678b5bff5c284880b860615f8654589812e0508696652d
Instruction Fuzzy Hash: C931E3725456196EDB20EFB4EC48ADE37ACEF46324F108555ED10E32E1DB30D9458B60

Function 0091BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0091C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0091B6AE,?,?), ref: 0091C9B5
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091C9F1
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA68
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0091BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0091BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0091BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0091C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0091C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0091C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0091C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0091C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0091C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0091C382
RegCloseKey.ADVAPI32(00000000), ref: 0091C38F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 9965ba5ae886067ba888ae924fd045a568a7e5b4a27c354a515dc490c880b840
Instruction ID: cea561848e50c5a9d3ab647140651f3717ecfc39acde30aeb516a1bc0b83d90b
Opcode Fuzzy Hash: 9965ba5ae886067ba888ae924fd045a568a7e5b4a27c354a515dc490c880b840
Instruction Fuzzy Hash: B6025FB1604204AFDB14DF28C895E6ABBE5FF49304F18849DF45ADB2A2D731EC46CB52

Function 00908195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00908257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00908267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00908273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00908310
SetCurrentDirectoryW.KERNEL32(?), ref: 00908324
SetCurrentDirectoryW.KERNEL32(?), ref: 00908356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0090838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00908395

Strings

*.*, xrefs: 0090839B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: bc6b4f4bd3af58b7ea244a4917b571c72db00fda5b2227851e796425755a58be
Instruction ID: 1e214574887cd71730b12df77809c153f53b7a27b8056a6057b8c48a23559cbf
Opcode Fuzzy Hash: bc6b4f4bd3af58b7ea244a4917b571c72db00fda5b2227851e796425755a58be
Instruction Fuzzy Hash: ED614AB26087059FCB10EF68D8409AFB3E8FF89314F044929F999D7251EB35E945CB92

Function 008FD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00893AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00893A97,?,?,00892E7F,?,?,?,00000000), ref: 00893AC2

Part of subcall function 008FE199: GetFileAttributesW.KERNEL32(?,008FCF95), ref: 008FE19A

FindFirstFileW.KERNEL32(?,?), ref: 008FD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008FD1DD
MoveFileW.KERNEL32(?,?), ref: 008FD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 008FD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 008FD237

Part of subcall function 008FD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,008FD21C,?,?), ref: 008FD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 008FD253
FindClose.KERNEL32(00000000), ref: 008FD264

Strings

\*.*, xrefs: 008FD0CD, 008FD0D6, 008FD0EB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: cc266ce45e32795b74c46572081266bed63b283d3acf38afe75e7e752ed8618f
Instruction ID: a8feb917be64c69676694ace2046f49cb61d543fc505f8fc6f0e81d8c613e4cf
Opcode Fuzzy Hash: cc266ce45e32795b74c46572081266bed63b283d3acf38afe75e7e752ed8618f
Instruction Fuzzy Hash: 45615B3180520D9ACF15EBA8C9929FDB7B6FF15300F244169E611B7191EB30AF09DBA2

Function 0090ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0090ED91
EmptyClipboard.USER32 ref: 0090ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0090EDAC
CloseClipboard.USER32 ref: 0090EEA3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c7f370511ca35619562d8186c829ab20022e9c5b620b53a21289ff0ec192a333
Instruction ID: b147001cbcaba10bdcde89d8cff23e3297f0c30a0bbd9714f7b2f97fad4e74d2
Opcode Fuzzy Hash: c7f370511ca35619562d8186c829ab20022e9c5b620b53a21289ff0ec192a333
Instruction Fuzzy Hash: 8D419D75208611AFD720DF15E888F19BBE5FF44318F18C499E41A8B6A2C775EC42CB90

Function 008FE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008F170D
Part of subcall function 008F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008F173A
Part of subcall function 008F16C3: GetLastError.KERNEL32 ref: 008F174A

ExitWindowsEx.USER32(?,00000000), ref: 008FE932

Strings

SeShutdownPrivilege, xrefs: 008FE902
@, xrefs: 008FE925
, xrefs: 008FE95C
, xrefs: 008FE920

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 1416761e4ed485ebc92b4cf1da17e9a01d69d29e12ed4c3c102160d7a3e84e75
Instruction ID: ab336dfda560312aebb030cc8e95c9bb84bd2c0edf407dc63b68b8cdaac4a783
Opcode Fuzzy Hash: 1416761e4ed485ebc92b4cf1da17e9a01d69d29e12ed4c3c102160d7a3e84e75
Instruction Fuzzy Hash: 5901267272021CABEB246BB89C8AFBF769CFB14745F140521FE02E21E1E9E05C4092F0

Function 00911204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00911276
WSAGetLastError.WSOCK32 ref: 00911283
bind.WSOCK32(00000000,?,00000010), ref: 009112BA
WSAGetLastError.WSOCK32 ref: 009112C5
closesocket.WSOCK32(00000000), ref: 009112F4
listen.WSOCK32(00000000,00000005), ref: 00911303
WSAGetLastError.WSOCK32 ref: 0091130D
closesocket.WSOCK32(00000000), ref: 0091133C

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 5526a853660c60f779a0cd1b06fe1e6799113a23503940eedf3bbc18cd82afbd
Instruction ID: 1ca1a20a0a8f40f7aad1cd102dba08ff8e064d29319ec89850b4d5fab313381b
Opcode Fuzzy Hash: 5526a853660c60f779a0cd1b06fe1e6799113a23503940eedf3bbc18cd82afbd
Instruction Fuzzy Hash: FF41A071600144AFD720DF28C488B69BBE5BF46318F188488E9668F296C771ECC2CBE1

Function 008FD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00893AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00893A97,?,?,00892E7F,?,?,?,00000000), ref: 00893AC2

Part of subcall function 008FE199: GetFileAttributesW.KERNEL32(?,008FCF95), ref: 008FE19A

FindFirstFileW.KERNEL32(?,?), ref: 008FD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 008FD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 008FD481
FindClose.KERNEL32(00000000), ref: 008FD498
FindClose.KERNEL32(00000000), ref: 008FD4A1

Strings

\*.*, xrefs: 008FD3F2

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 9a1e23ba25e6635c9c89efb038ae711dfe98280e0a3e9e41ffd0f011c96f158d
Instruction ID: ff9cb0bf80bb69b22723e37cd65236eb6346b8c90431ea6ef479844afd733f39
Opcode Fuzzy Hash: 9a1e23ba25e6635c9c89efb038ae711dfe98280e0a3e9e41ffd0f011c96f158d
Instruction Fuzzy Hash: 8B316D710183459BC714FF68D8918BFB7A8FEA1304F484A2DF5E5D3191EB20EA0997A7

Function 008CE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008CE645

Strings

1#QNAN, xrefs: 008CF84B
1#SNAN, xrefs: 008CF844
1#IND, xrefs: 008CF83D
1#INF, xrefs: 008CF852

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: cc197b249716cc5abe6e400222a34c5d60ff381dbac5a0950f7ce0859bb182a3
Instruction ID: f0c6d1d3a11715df4b10b0643bc3036199989e2c1f0edbfebfc07b024652ad44
Opcode Fuzzy Hash: cc197b249716cc5abe6e400222a34c5d60ff381dbac5a0950f7ce0859bb182a3
Instruction Fuzzy Hash: F2C21971E086288FDB25CE289D40BEAB7B6FB48315F1541EED54DE7241E774AE818F40

Function 0090648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009064DC
CoInitialize.OLE32(00000000), ref: 00906639
CoCreateInstance.OLE32(0092FCF8,00000000,00000001,0092FB68,?), ref: 00906650
CoUninitialize.OLE32 ref: 009068D4

Strings

.lnk, xrefs: 009064BA, 00906524, 009065E0

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 6f9e8ffe15e75f563a0830082a6ee27d33da403c548dc0e6d6252dad2742ac12
Instruction ID: 28791d021bef899f73c4e7fc557aa62baa9867efa2b81dee04b9cf514bd16428
Opcode Fuzzy Hash: 6f9e8ffe15e75f563a0830082a6ee27d33da403c548dc0e6d6252dad2742ac12
Instruction Fuzzy Hash: EED13971508201AFC714EF28C881D6BB7E9FF94704F44496DF595CB291EB71E909CB92

Function 009122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009122E8

Part of subcall function 0090E4EC: GetWindowRect.USER32(?,?), ref: 0090E504

GetDesktopWindow.USER32 ref: 00912312
GetWindowRect.USER32(00000000), ref: 00912319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00912355
GetCursorPos.USER32(?), ref: 00912381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009123DF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 74574ddbeff6d6bdbf6cf66ca01a06cf764c928cbfcc50f1b111749290f95d92
Instruction ID: 854b4648990de76f77df961e277c3f390c31b18d6a49f885a3097731aa95e7a9
Opcode Fuzzy Hash: 74574ddbeff6d6bdbf6cf66ca01a06cf764c928cbfcc50f1b111749290f95d92
Instruction Fuzzy Hash: 0231D072608319AFC720EF14C849F9BBBA9FF84710F000919F995D7191DB34EA5ACB92

Function 00909B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00909B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00909C8B

Part of subcall function 00903874: GetInputState.USER32 ref: 009038CB
Part of subcall function 00903874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00903966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00909BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00909C75

Strings

*.*, xrefs: 00909B5D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 0ec7b3a038fe2f1921fa9837fe4047f69c12eb082cd1d3326f55d9a113e4115f
Instruction ID: 916f5d5ec7c1320197047e399e0889a4fca7ff2a5565f83b6c9e82477bcf2f80
Opcode Fuzzy Hash: 0ec7b3a038fe2f1921fa9837fe4047f69c12eb082cd1d3326f55d9a113e4115f
Instruction Fuzzy Hash: 2D418071D4421A9FDF14EF68C845AEE7BB8FF15310F244056E849A22D2EB309E44CF61

Function 008A997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 008A9A4E
GetSysColor.USER32(0000000F), ref: 008A9B23
SetBkColor.GDI32(?,00000000), ref: 008A9B36

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: ee6ad27072890388365bd0ccef7cbc6b0cd02bf6f5f4de3406cfe051af14391e
Instruction ID: 41fc4b36d2ef27e434c40ade22378a3229da0678295fbeb6d0d1ea74c45b1ef2
Opcode Fuzzy Hash: ee6ad27072890388365bd0ccef7cbc6b0cd02bf6f5f4de3406cfe051af14391e
Instruction Fuzzy Hash: 95A1297011C4A8BEF728AA3D9C49F7B3A9DFB83358F15410AF582C6DD5CA25AD01D272

Function 00911806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0091304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0091307A
Part of subcall function 0091304E: _wcslen.LIBCMT ref: 0091309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0091185D
WSAGetLastError.WSOCK32 ref: 00911884
bind.WSOCK32(00000000,?,00000010), ref: 009118DB
WSAGetLastError.WSOCK32 ref: 009118E6
closesocket.WSOCK32(00000000), ref: 00911915

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 10023fd1dd051b11c6ea957fcddb6b1135b0e9d34f986ec5e7d4163450e3e799
Instruction ID: 9bf350b59bb7a965c4ba897ee1fe0e62dad903fcb7a78eed6575f12f1ac95c2e
Opcode Fuzzy Hash: 10023fd1dd051b11c6ea957fcddb6b1135b0e9d34f986ec5e7d4163450e3e799
Instruction Fuzzy Hash: 5551C771B002106FEB10AF28D886F6A77E5EB45718F08C498F9159F3D3D771AD418B92

Function 00921C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00921CC0
IsWindowEnabled.USER32 ref: 00921CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00921CDB
IsIconic.USER32 ref: 00921CE9
IsZoomed.USER32 ref: 00921CF7

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 1d9466be4f216c95e63c074e98c4bda99d73ec6fe28204542bc267efc30cc541
Instruction ID: a3f4a3f359556b0c0b332016e5733b216b246d195e7003680b06eb978298842a
Opcode Fuzzy Hash: 1d9466be4f216c95e63c074e98c4bda99d73ec6fe28204542bc267efc30cc541
Instruction Fuzzy Hash: 9D21E5357442219FD720DF1AE844B2A7BE9FFA5314F198068E88ACB355CB71EC42CB90

Function 00898060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0089813C
VUUU, xrefs: 0089843C
VUUU, xrefs: 008D5DF0
VUUU, xrefs: 008983FA
VUUU, xrefs: 008983E8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ac8de6d5751c08d174887cfb27fcb19f4f3a1e8524b9075baa1eef93836b61d9
Instruction ID: e56f3e64c12c241e5aec752adfe5da48f59f75d29f6f045026d2822a6b346256
Opcode Fuzzy Hash: ac8de6d5751c08d174887cfb27fcb19f4f3a1e8524b9075baa1eef93836b61d9
Instruction Fuzzy Hash: 02A26D71A0061ECBDF24DF58C8407AEB7B1FB55314F2882AAE815EB385EB309D91CB50

Function 008FAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 008FAAAC
SetKeyboardState.USER32(00000080), ref: 008FAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 008FAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 008FAB88

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b2bced905e3c03ed5d45978b31f0ede3f0d71d43f90768e8e4142f957c7164ff
Instruction ID: 76b3e9e8d2c6ca87b403c5bb73ecb3b10c12d0f07d7802bef059be9f3049476f
Opcode Fuzzy Hash: b2bced905e3c03ed5d45978b31f0ede3f0d71d43f90768e8e4142f957c7164ff
Instruction Fuzzy Hash: 2831E7B0A4025CAEFB398A78CC05BFA7BA6FB44330F14421AF689D61D1D3758985D762

Function 008CBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008CBB7F

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

GetTimeZoneInformation.KERNEL32 ref: 008CBB91
WideCharToMultiByte.KERNEL32(00000000,?,0096121C,000000FF,?,0000003F,?,?), ref: 008CBC09
WideCharToMultiByte.KERNEL32(00000000,?,00961270,000000FF,?,0000003F,?,?,?,0096121C,000000FF,?,0000003F,?,?), ref: 008CBC36

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 8dccef05b2dd2ce606a5cc437181cf4b43a14b9fde41f0a5c8aee0762fa6d9fa
Instruction ID: 5e2b10256c4351780e0efc3ff0de3dca8ec22ce8b6f41cb14912bd94084d5d8e
Opcode Fuzzy Hash: 8dccef05b2dd2ce606a5cc437181cf4b43a14b9fde41f0a5c8aee0762fa6d9fa
Instruction Fuzzy Hash: AC31BC70908645DFCB15DF69CC92A2ABBB8FF45760B1842AEE060D72A1D7709D01EB50

Function 0090CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0090CE89
GetLastError.KERNEL32(?,00000000), ref: 0090CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0090CEFE

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 97bc2759aa5709e000377189aed3d08520e9ebc063e68b3aa48d3426a34c2e06
Instruction ID: b3fd1c177c8d532abfc33faac7b423935fc1a0400ab58c61b51b3e986c4884af
Opcode Fuzzy Hash: 97bc2759aa5709e000377189aed3d08520e9ebc063e68b3aa48d3426a34c2e06
Instruction Fuzzy Hash: CB21ACB1504705EFDB30DF65C988BAA77FCEB40314F204A2AE646D2191E774EE059B50

Function 008F8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008F82AA

Strings

|, xrefs: 008F82DA
(, xrefs: 008F82F0

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: bbaab64f140da529325f0a939c946b25ec4d36aefed733418d6719791fcbd0ca
Instruction ID: 76209af99be81a668ecae30474fdd241f644ad2611ad0dc1ca76ca4521435a68
Opcode Fuzzy Hash: bbaab64f140da529325f0a939c946b25ec4d36aefed733418d6719791fcbd0ca
Instruction Fuzzy Hash: 4C323475A00609DFCB28CF69C481A6AB7F0FF48710B15C56EE59ADB7A1EB70E941CB40

Function 00905C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00905CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00905D17
FindClose.KERNEL32(?), ref: 00905D5F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: cfa3a9391112a96d6acad4ceae0a52a3785cd7d45ffa8c8bde34571c63681bde
Instruction ID: 1479ac108f8c8875b4f480c026f6e20c76cf6c1265ad7dda81c20865495b146b
Opcode Fuzzy Hash: cfa3a9391112a96d6acad4ceae0a52a3785cd7d45ffa8c8bde34571c63681bde
Instruction Fuzzy Hash: D851A975604A019FC714DF28C494A9AB7E8FF49324F15855EE99A8B3A2DB30EC04CF92

Function 008C2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 008C271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008C2724
UnhandledExceptionFilter.KERNEL32(?), ref: 008C2731

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f3487d190cbc610263ac26c2926497b9a7a1466595d003cdcb490fb55022c06b
Instruction ID: 1675e68a701c7d149c5277739cfc8331eae9655b8a349951dec38264b62a30f4
Opcode Fuzzy Hash: f3487d190cbc610263ac26c2926497b9a7a1466595d003cdcb490fb55022c06b
Instruction Fuzzy Hash: 7431B4749112289BCB21DF68DC89BDDB7B8FF08310F5045EAE41CA62A1E7709F818F45

Function 009051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009051DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00905238
SetErrorMode.KERNEL32(00000000), ref: 009052A1

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6ce0b544a80e6a3ffee9664007565e635f4955da63bee5e51165d70d4ce40fc3
Instruction ID: 89dfe726027e23c06e5327339022cfe22d66a8dde723fd01d2aa485c6309f36c
Opcode Fuzzy Hash: 6ce0b544a80e6a3ffee9664007565e635f4955da63bee5e51165d70d4ce40fc3
Instruction Fuzzy Hash: A2318075A14508DFDB00EF58D885EAEBBF4FF08314F098099E805AB3A2DB31E856CB51

Function 008F16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008B0668
Part of subcall function 008AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008B0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008F170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008F173A
GetLastError.KERNEL32 ref: 008F174A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: d5b42ae28b618522404b1f65b1a5f8e26cde0960373b86795c011f152040fb3d
Instruction ID: d71f60720a9ab339e58b561f6bc8ab63211ad60fd1450f340e2bd35bdd9949fc
Opcode Fuzzy Hash: d5b42ae28b618522404b1f65b1a5f8e26cde0960373b86795c011f152040fb3d
Instruction Fuzzy Hash: F411C4B1414308EFEB18AF64DC86D6AB7F9FB04714B20852EE15693641EB70BC418A60

Function 008FD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008FD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 008FD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008FD650

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: e301ee7c83d3f297a770936307b68494068e2a4cb1ed08c19edd12d12bef6d34
Instruction ID: 97c19234fe43bcde5784928d021275aa4d716f946ce80141077c5fd7dd849c52
Opcode Fuzzy Hash: e301ee7c83d3f297a770936307b68494068e2a4cb1ed08c19edd12d12bef6d34
Instruction Fuzzy Hash: E4117CB1E05228BBDB208FA4DC45FAFBBBCEB45B60F108111FA04E7290D6704A058BA1

Function 008F1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008F168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008F16A1
FreeSid.ADVAPI32(?), ref: 008F16B1

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8cb9250641d88e04c9549a7c4ee27f3c9deb9429e16c69c0833af973691f1b9d
Instruction ID: 8dd8887079d6bda6c4ee8a29279b691c5b56d16649716171b6c6e4fffca2daa3
Opcode Fuzzy Hash: 8cb9250641d88e04c9549a7c4ee27f3c9deb9429e16c69c0833af973691f1b9d
Instruction Fuzzy Hash: 7DF0F4B199030DFBDF00DFE49C89EAEBBBCFB08644F504565E501E2181E774AA449A54

Function 008ED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008ED28C

Strings

X64, xrefs: 008ED2A8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 81dc27d0ea430a67abc2b4e79761d8c45c0193899caadc9d788e710f7a802265
Instruction ID: f1bc18c6a3619718e1176d6ccd1abae70be427624eee6f39b1df23953b87fc4b
Opcode Fuzzy Hash: 81dc27d0ea430a67abc2b4e79761d8c45c0193899caadc9d788e710f7a802265
Instruction Fuzzy Hash: 94D0C9B581521DEACF90CB90DC88DDDB37CFB05309F100151F106E2000D73095499F10

Function 008BCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 8e7a043f67056e8580028e0abeb7d3b4227755c0e6337818f5cd5acd793377cc
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 7C021D71E001199BDF14CFA9C8906EEFBF1FF58314F25416AD819EB384D731A9458B94

Function 009068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00906918
FindClose.KERNEL32(00000000), ref: 00906961

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fab78604e89499754a705fb1dbea7a9210a7ac14520668ae40bf46de83323823
Instruction ID: 543ab83f36eec38df2c3e138049afa2829be0d19d2061739043b1994ca31828a
Opcode Fuzzy Hash: fab78604e89499754a705fb1dbea7a9210a7ac14520668ae40bf46de83323823
Instruction Fuzzy Hash: F11190726142019FC710DF29D484A1ABBE5FF85328F18C699F4798F6A2CB30EC05CB91

Function 009037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00914891,?,?,00000035,?), ref: 009037E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00914891,?,?,00000035,?), ref: 009037F4

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 864a6b349a47e1604d9df0ca2440200c306950168e32c8ec6aaf0e073d94b541
Instruction ID: 9a4ca5b40512ce186ccdf3a638cb1947046ee263d1e01651cd1c01efea3b489f
Opcode Fuzzy Hash: 864a6b349a47e1604d9df0ca2440200c306950168e32c8ec6aaf0e073d94b541
Instruction Fuzzy Hash: 65F0ECB06042156AEB2057698C4DFDB375DEFC4761F000265F505D22C1D9609904C6F1

Function 008FB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 008FB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 008FB270

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d6a1ccb776ffb7bd3115e4926e0f11f6600e112bae9ea1e54b98b909c6b4646e
Instruction ID: 5138dbab3c3a328a21f68cc031c8c7a888a549a78203a5cf2704876abe1119fe
Opcode Fuzzy Hash: d6a1ccb776ffb7bd3115e4926e0f11f6600e112bae9ea1e54b98b909c6b4646e
Instruction Fuzzy Hash: 50F01D7181424DABDF159FA0C805BBE7BB4FF04309F108009F955A6191D379D6119F94

Function 008F10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008F11FC), ref: 008F10D4
CloseHandle.KERNEL32(?,?,008F11FC), ref: 008F10E9

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1f1a47d5387ce4f7811693d7bfa5c485b49293ae6d9509dd8dee1ced59ea4a47
Instruction ID: cd9fc78de35963fe1fa90f7c91b1a7081fd1a9ef48da967d48937591b97473e4
Opcode Fuzzy Hash: 1f1a47d5387ce4f7811693d7bfa5c485b49293ae6d9509dd8dee1ced59ea4a47
Instruction Fuzzy Hash: 54E04F72018600EEFB352B65FC09E7777E9FB04320B20882DF6A5C04B1DB626CA1EB54

Function 0089CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 008E0C40

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 186f9b44ed5c3ecfcefe98c6f385916463b67cfe21c82f781b0687ad11160784
Instruction ID: 33a3508804177a6c6c691a5a4871062159bce6c7a6903618e073e2af9c69a583
Opcode Fuzzy Hash: 186f9b44ed5c3ecfcefe98c6f385916463b67cfe21c82f781b0687ad11160784
Instruction Fuzzy Hash: 4932AF70900218DBDF14EF94C884AEDB7B5FF05308F284469E806EB282DBB6AD45CF61

Function 008C676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008C6766,?,?,00000008,?,?,008CFEFE,00000000), ref: 008C6998

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ab1074be47311f34f96de73b8e98b033f2ebbeccf47b90006461de312ee77244
Instruction ID: 3ebf78dd3ce3ceaae0b3e6bc00695da5c9bf64f1c53ce18cab245bbf387b50b3
Opcode Fuzzy Hash: ab1074be47311f34f96de73b8e98b033f2ebbeccf47b90006461de312ee77244
Instruction Fuzzy Hash: C0B139316106099FD715CF28C486F657BB0FF45368F29866CE89ACF2A2D335E9A5CB40

Function 008AB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 008E851F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 90faa77beb16d537957ff3b2c6d6ec804cce5aae33e6a766efdd37142330007d
Instruction ID: 3796aedafd440bc82f86346223dd0c0d304e35e8c267220519dcb2b37a84de7c
Opcode Fuzzy Hash: 90faa77beb16d537957ff3b2c6d6ec804cce5aae33e6a766efdd37142330007d
Instruction Fuzzy Hash: A6124F71900229DFDB24CF59C8806AEB7F5FF49710F14819AE849EB256EB349E81CF94

Function 0090EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0090EABD

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 99a28d8ca4835f42951cad1c92e13973b2eb082c06982d4c77f12483677a5896
Instruction ID: 94a5900aacd18900c96d8b49605da666cc9443bccb11b0bed56fcbaf1c4a1e67
Opcode Fuzzy Hash: 99a28d8ca4835f42951cad1c92e13973b2eb082c06982d4c77f12483677a5896
Instruction Fuzzy Hash: 32E01A362102049FC710EF59E804E9AB7E9FF98760F048816FC49C72A1DAB0A8418BA1

Function 008B09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008B03EE), ref: 008B09DA

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9e65ebebed2c086320c7da9a7b34bf468fafceea00670548a216a338834796f2
Instruction ID: 012cbcde61fd796d938ca59ca2388a08b1776bc3aecc37c4f8d2048ced31be03
Opcode Fuzzy Hash: 9e65ebebed2c086320c7da9a7b34bf468fafceea00670548a216a338834796f2
Instruction Fuzzy Hash:

Function 008B781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 008B798B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6d2279e781342056ee57ff26188913dddb2e7bdb7da84e4abbe3da2c5e0eec55
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4C519B7160C74A9BDB38453C885E7FE2B89FBD2344F180539D882D7782CA19EE01D35A

Function 008C6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0e544ed109c3d42458b32f2cba763cc0f93d78713146b18242217323309a2b
Instruction ID: 8d560dcac462a700ae4688b08ac2230056c0cef57f0b33cf0e9b9f58c8961718
Opcode Fuzzy Hash: 0a0e544ed109c3d42458b32f2cba763cc0f93d78713146b18242217323309a2b
Instruction Fuzzy Hash: AE320F22D2DF014DD7239634D822336A659EFB73D5F15C32BE82AB5AA5EB39C4835900

Function 008ACC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9307d7b7cb8f6403a20fef37084d31ab747b8e44f87f713aaf7c542a1ee4503
Instruction ID: d32a5fdeeccd8ab0ef37509fc4a300decb05b76483749c6cd5c985d7e2bbad37
Opcode Fuzzy Hash: c9307d7b7cb8f6403a20fef37084d31ab747b8e44f87f713aaf7c542a1ee4503
Instruction Fuzzy Hash: 89321732E041998BDF28CF2BC49067D7BA1FB47324F28856AD95ACB691D230DD83DB41

Function 00897920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ca05c1f171960420cb9dd622bc6dd38a7b6af5489179014cb37a5bdfdcfceb
Instruction ID: c491e26ebc7e5bd415a6b74a87320e60fdc13adf04f9fcea5d68da108b1f5524
Opcode Fuzzy Hash: a3ca05c1f171960420cb9dd622bc6dd38a7b6af5489179014cb37a5bdfdcfceb
Instruction Fuzzy Hash: AE22BEB0A04609DFDF14DFA9D881AAEB7F6FF44314F14462AE812E7391EB35A910CB51

Function 008991C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e1dc1a71c97819509a913498dd6889cb118a6ee3208349e95de10715e7b61c
Instruction ID: d484b55bb4d79ddd7781b6bb5ccbf6ac4248348740b70de72a7becdb179fd87d
Opcode Fuzzy Hash: 83e1dc1a71c97819509a913498dd6889cb118a6ee3208349e95de10715e7b61c
Instruction Fuzzy Hash: A202D7B0A10219EBDF05EF58D881AADB7B1FF44304F548169E456DF391EB31EA20CB91

Function 008C9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff3edd6255d7b5bb019be3aa878be334fbd1931c3d21a8457645b9eac66f20a
Instruction ID: 8f25d54925586857b1c03654cc1119773e7d9d67fabe012132234a80fa2502d1
Opcode Fuzzy Hash: 4ff3edd6255d7b5bb019be3aa878be334fbd1931c3d21a8457645b9eac66f20a
Instruction Fuzzy Hash: 5EB10020E7AF454DC32396398831336B65CAFBB6D9F91D31BFC2674D22EB2286835540

Function 008B1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a58a3c8cbae874bd564fbba1771193ebed21fdcc09031891d44a14a1ce89c9bb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BF9156722080E349DF694639857C0BEFFE1EA523A139E079DD4F2CE2C5EE14D554D620

Function 008B1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 8fb18d6708ae5566dfe820ed83fedafa65d3c248a528fb986a6a076bec108fb2
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0F9165722094E349DB29423D84784BEFFE1EA923A135A079DD4F2CF3C5EE249555E720

Function 008B19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 63f1cfeffacc0a6747ac0c4b8d917134d2e75d1e2f763da6c61d38343762c689
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 149154722090E34ADF69427A857C0BEFFE1EA923B139A079DD4F2CE2C5FE14D5549620

Function 008B7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33daec84568925edb1c98a0d3c5cc7b5d11f8eb2e295e313eaaa693ef904380
Instruction ID: 7ae6cc7b58c6c28d904a2e26dd8197dd76d168f410db86e762759649db0ffa11
Opcode Fuzzy Hash: f33daec84568925edb1c98a0d3c5cc7b5d11f8eb2e295e313eaaa693ef904380
Instruction Fuzzy Hash: 07616671208719A6DE749A2C8CA5BFF2398FFC1764F20191EE942DB3D1DA119E42CB16

Function 008B7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f432f3f35a5d0c065ecc4a8fe356dfb5d5bb45531fafa5d93b6b9fe765f58ed5
Instruction ID: 48b617adbdd8b1505ab4ef645723e9ff8f4ee989caa062fe37450df4f647a370
Opcode Fuzzy Hash: f432f3f35a5d0c065ecc4a8fe356dfb5d5bb45531fafa5d93b6b9fe765f58ed5
Instruction Fuzzy Hash: 76617A7120C70996DE385A2C88A5BFF2398FFC2B84F180959E943DF795DA12ED42C356

Function 008B1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: fcadcee6f49d448664cdaf79c6668415630b8200b5349d4cd2ff63dcaa3b0ec2
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 138164326080E349DF694239857C4BEFFE1FA923A139A07ADD4F2CF2C5EE149554D620

Function 00902046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb53829feddf2bbe588af80457db1bb516890a62e7477a6170255167b296e31
Instruction ID: eb4c0d34cdde56328c94cd2e4a54748b477d94b11493ccef1fec1bd8aa2a9796
Opcode Fuzzy Hash: fdb53829feddf2bbe588af80457db1bb516890a62e7477a6170255167b296e31
Instruction Fuzzy Hash: 1421B7326206158FD728CF79C82767E73E9A754310F25862EE4A7C37D0DE75A904DB80

Function 00912ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00912B30
DeleteObject.GDI32(00000000), ref: 00912B43
DestroyWindow.USER32 ref: 00912B52
GetDesktopWindow.USER32 ref: 00912B6D
GetWindowRect.USER32(00000000), ref: 00912B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00912CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00912CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912CF8
GetClientRect.USER32(00000000,?), ref: 00912D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00912D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912D80
GlobalLock.KERNEL32(00000000), ref: 00912D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912D98
GlobalUnlock.KERNEL32(00000000), ref: 00912DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912DA8
GlobalFree.KERNEL32(00000000), ref: 00912DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0092FC38,00000000), ref: 00912DDB
GlobalFree.KERNEL32(00000000), ref: 00912DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00912E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00912E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091303F

Strings

static, xrefs: 00912D3A, 00912E91
AutoIt v3, xrefs: 00912CF2
DISPLAY, xrefs: 00912EA2
, xrefs: 00912FC5

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 236a69fa122e8138ea4f3c503ecb13bfaf77b54c38258eeaf0d98131353ea22d
Instruction ID: 6a34a2e13e29c24537a9c7d5ab03c4f1cf578e49551fc246d7933bc1cd0af82e
Opcode Fuzzy Hash: 236a69fa122e8138ea4f3c503ecb13bfaf77b54c38258eeaf0d98131353ea22d
Instruction Fuzzy Hash: 7A026BB1A14209EFDB14DF64DD89EAE7BB9FB48310F048158F915AB2A1CB70AD41DB60

Function 009270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0092712F
GetSysColorBrush.USER32(0000000F), ref: 00927160
GetSysColor.USER32(0000000F), ref: 0092716C
SetBkColor.GDI32(?,000000FF), ref: 00927186
SelectObject.GDI32(?,?), ref: 00927195
InflateRect.USER32(?,000000FF,000000FF), ref: 009271C0
GetSysColor.USER32(00000010), ref: 009271C8
CreateSolidBrush.GDI32(00000000), ref: 009271CF
FrameRect.USER32(?,?,00000000), ref: 009271DE
DeleteObject.GDI32(00000000), ref: 009271E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00927230
FillRect.USER32(?,?,?), ref: 00927262
GetWindowLongW.USER32(?,000000F0), ref: 00927284

Part of subcall function 009273E8: GetSysColor.USER32(00000012), ref: 00927421
Part of subcall function 009273E8: SetTextColor.GDI32(?,?), ref: 00927425
Part of subcall function 009273E8: GetSysColorBrush.USER32(0000000F), ref: 0092743B
Part of subcall function 009273E8: GetSysColor.USER32(0000000F), ref: 00927446
Part of subcall function 009273E8: GetSysColor.USER32(00000011), ref: 00927463
Part of subcall function 009273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00927471
Part of subcall function 009273E8: SelectObject.GDI32(?,00000000), ref: 00927482
Part of subcall function 009273E8: SetBkColor.GDI32(?,00000000), ref: 0092748B
Part of subcall function 009273E8: SelectObject.GDI32(?,?), ref: 00927498
Part of subcall function 009273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009274B7
Part of subcall function 009273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009274CE
Part of subcall function 009273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009274DB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ac399f154886e4b14bbf4bdaf46b11ba88a84a2b94549de471a523e05f47f1c3
Instruction ID: ce342e66122ec6de006d848220b6ba6b493ef8fb8639ae98a8f7374140b6f674
Opcode Fuzzy Hash: ac399f154886e4b14bbf4bdaf46b11ba88a84a2b94549de471a523e05f47f1c3
Instruction Fuzzy Hash: 5FA190B201C311AFDB109FA0EC48E5EBBA9FF49320F100A19F962A61E1D774E945DB52

Function 008A8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008A8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 008E6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008E6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008E6F43

Part of subcall function 008A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008A8BE8,?,00000000,?,?,?,?,008A8BBA,00000000,?), ref: 008A8FC5

SendMessageW.USER32(?,00001053), ref: 008E6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008E6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 008E6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 008E6FB7

Strings

0, xrefs: 008E6DCF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ae516595d331af60aeaebcbfebaada2b3390f89de47b2572a260aef830f6e055
Instruction ID: 63f3f34c89e337fd1cbf0e886da772ce1c81f66a986b453117a5863f75425861
Opcode Fuzzy Hash: ae516595d331af60aeaebcbfebaada2b3390f89de47b2572a260aef830f6e055
Instruction Fuzzy Hash: BE12AD30208281DFDB25CF15D844BA9B7A1FF66350F184469F485CB661DB32EC62EF91

Function 00912711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0091273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0091286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009128A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009128B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00912900
GetClientRect.USER32(00000000,?), ref: 0091290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00912955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00912964
GetStockObject.GDI32(00000011), ref: 00912974
SelectObject.GDI32(00000000,00000000), ref: 00912978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00912988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00912991
DeleteDC.GDI32(00000000), ref: 0091299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009129C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009129DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00912A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00912A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00912A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00912A77
GetStockObject.GDI32(00000011), ref: 00912A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00912A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00912A97

Strings

msctls_progress32, xrefs: 00912A13
static, xrefs: 0091294F, 00912A71
AutoIt v3, xrefs: 009128F8
DISPLAY, xrefs: 0091295A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1189a7a8d250b225ae9efacca6a4240f086f4bdd61c21f668d99fbdac3350a4f
Instruction ID: 995211b429da630368ffd87eed4e7dd97584aa1033c04927ad18faf1c1c89407
Opcode Fuzzy Hash: 1189a7a8d250b225ae9efacca6a4240f086f4bdd61c21f668d99fbdac3350a4f
Instruction Fuzzy Hash: 92B15CB1A10219AFEB24DF68DC4AFAE7BA9FB48710F044118F915E72A0D770ED40DB94

Function 00904ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00904AED
GetDriveTypeW.KERNEL32(?,0092CB68,?,\\.\,0092CC08), ref: 00904BCA
SetErrorMode.KERNEL32(00000000,0092CB68,?,\\.\,0092CC08), ref: 00904D36

Strings

Fixed, xrefs: 00904C09
RAMDisk, xrefs: 00904BF4
\\.\, xrefs: 00904B3F
PhysicalDrive, xrefs: 00904B76
Network, xrefs: 00904C02
ATAPI, xrefs: 00904C91
Virtual, xrefs: 00904CE5
SSD, xrefs: 00904C4A
Removable, xrefs: 00904C10, 00904C15
Fibre, xrefs: 00904CAD
ATA, xrefs: 00904C98
SATA, xrefs: 00904CD0
SAS, xrefs: 00904CC9
FileBackedVirtual, xrefs: 00904CEC
RAID, xrefs: 00904CBB
Unknown, xrefs: 00904BED, 00904C83
SSA, xrefs: 00904CA6
MMC, xrefs: 00904CDE
1394, xrefs: 00904C9F
USB, xrefs: 00904CB4
SCSI, xrefs: 00904C8A
iSCSI, xrefs: 00904CC2
CDROM, xrefs: 00904BFB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 6041360c060942cea31cddd2b2c4438fd2a524252799363830bd47e73556843b
Instruction ID: cb69ecf66b9c0085fa0075ec05afd6d6d0dd206ecc923d342fffb0aedb5fe28a
Opcode Fuzzy Hash: 6041360c060942cea31cddd2b2c4438fd2a524252799363830bd47e73556843b
Instruction Fuzzy Hash: 8C61F4B0605205EFDB04EF28CA829BC77B4FB85305B684815FA86EB2D1DB35ED45DB42

Function 009273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00927421
SetTextColor.GDI32(?,?), ref: 00927425
GetSysColorBrush.USER32(0000000F), ref: 0092743B
GetSysColor.USER32(0000000F), ref: 00927446
CreateSolidBrush.GDI32(?), ref: 0092744B
GetSysColor.USER32(00000011), ref: 00927463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00927471
SelectObject.GDI32(?,00000000), ref: 00927482
SetBkColor.GDI32(?,00000000), ref: 0092748B
SelectObject.GDI32(?,?), ref: 00927498
InflateRect.USER32(?,000000FF,000000FF), ref: 009274B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009274CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009274DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0092752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00927554
InflateRect.USER32(?,000000FD,000000FD), ref: 00927572
DrawFocusRect.USER32(?,?), ref: 0092757D
GetSysColor.USER32(00000011), ref: 0092758E
SetTextColor.GDI32(?,00000000), ref: 00927596
DrawTextW.USER32(?,009270F5,000000FF,?,00000000), ref: 009275A8
SelectObject.GDI32(?,?), ref: 009275BF
DeleteObject.GDI32(?), ref: 009275CA
SelectObject.GDI32(?,?), ref: 009275D0
DeleteObject.GDI32(?), ref: 009275D5
SetTextColor.GDI32(?,?), ref: 009275DB
SetBkColor.GDI32(?,?), ref: 009275E5

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 71659f15d07e46f5d6bfc18695d98691fc4593c956859bca63e1fb97ed7f0065
Instruction ID: 8dbad1497412d644a5aed93bafa22f7300086d5d85bf287b55e2fac20b2a7958
Opcode Fuzzy Hash: 71659f15d07e46f5d6bfc18695d98691fc4593c956859bca63e1fb97ed7f0065
Instruction Fuzzy Hash: 84617FB2908218AFDF119FA4DC49EAEBFB9EF08320F104115F911BB2A1D7749941DF90

Function 00920FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00921128
GetDesktopWindow.USER32 ref: 0092113D
GetWindowRect.USER32(00000000), ref: 00921144
GetWindowLongW.USER32(?,000000F0), ref: 00921199
DestroyWindow.USER32(?), ref: 009211B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009211ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0092120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0092121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00921232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00921245
IsWindowVisible.USER32(00000000), ref: 009212A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009212BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009212D0
GetWindowRect.USER32(00000000,?), ref: 009212E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0092130E
GetMonitorInfoW.USER32(00000000,?), ref: 00921328
CopyRect.USER32(?,?), ref: 0092133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009213AA

Strings

tooltips_class32, xrefs: 009211E6
0, xrefs: 009210D3
(, xrefs: 0092131B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6aa4ded05b2af5672e65557cdbb2f70e33a42f13f34afab3e30456bde92fb793
Instruction ID: fa51971b49e5184415503678669f0e72b94fcc93963d7e9a6ea18577d16b067f
Opcode Fuzzy Hash: 6aa4ded05b2af5672e65557cdbb2f70e33a42f13f34afab3e30456bde92fb793
Instruction Fuzzy Hash: B6B1BD71608351AFDB10DF68D884B6EBBE9FF98310F00891CF9999B261C731E855CB92

Function 008A8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008A8968
GetSystemMetrics.USER32(00000007), ref: 008A8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008A899B
GetSystemMetrics.USER32(00000008), ref: 008A89A3
GetSystemMetrics.USER32(00000004), ref: 008A89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008A89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008A89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008A8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008A8A3C
GetClientRect.USER32(00000000,000000FF), ref: 008A8A5A
GetStockObject.GDI32(00000011), ref: 008A8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 008A8A81

Part of subcall function 008A912D: GetCursorPos.USER32(?), ref: 008A9141
Part of subcall function 008A912D: ScreenToClient.USER32(00000000,?), ref: 008A915E
Part of subcall function 008A912D: GetAsyncKeyState.USER32(00000001), ref: 008A9183
Part of subcall function 008A912D: GetAsyncKeyState.USER32(00000002), ref: 008A919D

SetTimer.USER32(00000000,00000000,00000028,008A90FC), ref: 008A8AA8

Strings

AutoIt v3 GUI, xrefs: 008A8A20

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 599bc078ee91bb18d52005095557587b4d661e64414c4a5a8fe882311fadc336
Instruction ID: f7af783eeb36cfb79f62100b357509e30695598b412e7331242ae1ada6a8f070
Opcode Fuzzy Hash: 599bc078ee91bb18d52005095557587b4d661e64414c4a5a8fe882311fadc336
Instruction Fuzzy Hash: 8BB17C71A0420AEFDB14DFA8DC45BAE3BB4FB49314F144229FA15E7290DB74E851CB61

Function 008F0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008F1114
Part of subcall function 008F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1120
Part of subcall function 008F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F112F
Part of subcall function 008F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1136
Part of subcall function 008F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008F0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008F0E29
GetLengthSid.ADVAPI32(?), ref: 008F0E40
GetAce.ADVAPI32(?,00000000,?), ref: 008F0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008F0E96
GetLengthSid.ADVAPI32(?), ref: 008F0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008F0EB5
HeapAlloc.KERNEL32(00000000), ref: 008F0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008F0EDD
CopySid.ADVAPI32(00000000), ref: 008F0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008F0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008F0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008F0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0F6E
HeapFree.KERNEL32(00000000), ref: 008F0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0F7E
HeapFree.KERNEL32(00000000), ref: 008F0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0F8E
HeapFree.KERNEL32(00000000), ref: 008F0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 008F0FA1
HeapFree.KERNEL32(00000000), ref: 008F0FA8

Part of subcall function 008F1193: GetProcessHeap.KERNEL32(00000008,008F0BB1,?,00000000,?,008F0BB1,?), ref: 008F11A1
Part of subcall function 008F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008F0BB1,?), ref: 008F11A8
Part of subcall function 008F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008F0BB1,?), ref: 008F11B7

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e59855f4895eb9618f27940aa8dad63382c2f659357f1b4ccdc22f4d0a268a23
Instruction ID: 346d028c4e716a875ef0bd238261e3827b7df75ccb81dbc3e5ca946c324ccf8a
Opcode Fuzzy Hash: e59855f4895eb9618f27940aa8dad63382c2f659357f1b4ccdc22f4d0a268a23
Instruction Fuzzy Hash: D37139B290420AAFDF209FA4DC49FBEBBB8FF04310F144115EA59E6192DB719916CF60

Function 0091C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0091C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0092CC08,00000000,?,00000000,?,?), ref: 0091C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0091C5A4
_wcslen.LIBCMT ref: 0091C5F4
_wcslen.LIBCMT ref: 0091C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0091C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0091C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0091C84D
RegCloseKey.ADVAPI32(?), ref: 0091C881
RegCloseKey.ADVAPI32(00000000), ref: 0091C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0091C960

Strings

REG_QWORD, xrefs: 0091C8C3
REG_SZ, xrefs: 0091C644
REG_BINARY, xrefs: 0091C913
REG_EXPAND_SZ, xrefs: 0091C5CD
REG_MULTI_SZ, xrefs: 0091C6F5
REG_DWORD, xrefs: 0091C804

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 11d941873dd1da285ad745d1f5ae117f5937df153c572abfd85ff8a73baf1e6d
Instruction ID: dbb2e28134e274bb5fdd9c027fb076d65ed725687d9e2654d6c773893121d939
Opcode Fuzzy Hash: 11d941873dd1da285ad745d1f5ae117f5937df153c572abfd85ff8a73baf1e6d
Instruction Fuzzy Hash: DA124E757082019FDB14EF18C491A6AB7E5FF88714F19885CF85A9B3A2DB31ED41CB82

Function 0092091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009209C6
_wcslen.LIBCMT ref: 00920A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00920A54
_wcslen.LIBCMT ref: 00920A8A
_wcslen.LIBCMT ref: 00920B06
_wcslen.LIBCMT ref: 00920B81

Part of subcall function 008AF9F2: _wcslen.LIBCMT ref: 008AF9FD

Part of subcall function 008F2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008F2BFA

Strings

UNCHECK, xrefs: 00920D3E
GETTOTALCOUNT, xrefs: 009209F2, 00920A17
GETITEMCOUNT, xrefs: 00920C1E
ISCHECKED, xrefs: 00920CE1
GETSELECTED, xrefs: 00920C4E
SELECT, xrefs: 00920D11
EXISTS, xrefs: 00920B7C, 00920B97
EXPAND, xrefs: 00920BF8
COLLAPSE, xrefs: 00920B01, 00920B1C
CHECK, xrefs: 00920A85, 00920AA0
GETTEXT, xrefs: 00920C97

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 3a3d0072712252ec30bb009527a60a4b11981c01be3b9fc4e04fc1af7647eafc
Instruction ID: 36851e93b13d0700d3903be91444e3b69286c06b4e12eae5e0faf36805e16609
Opcode Fuzzy Hash: 3a3d0072712252ec30bb009527a60a4b11981c01be3b9fc4e04fc1af7647eafc
Instruction Fuzzy Hash: 72E19A312083118FCB24EF29D45092AB7E5FFD8314B54895CF8969B7A6D731EE49CB82

Function 0091C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0091B6AE,?,?), ref: 0091C9B5
_wcslen.LIBCMT ref: 0091C9F1
_wcslen.LIBCMT ref: 0091CA68
_wcslen.LIBCMT ref: 0091CA9E
_wcslen.LIBCMT ref: 0091CAF9
_wcslen.LIBCMT ref: 0091CB2F
_wcslen.LIBCMT ref: 0091CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0091CA62, 0091CA67
HKEY_CURRENT_CONFIG, xrefs: 0091CB79, 0091CB7E
HKCC, xrefs: 0091CBAC
HKLM, xrefs: 0091CA98, 0091CA9D
HKEY_CURRENT_USER, xrefs: 0091CBBD
HKCR, xrefs: 0091CB29, 0091CB2E
HKCU, xrefs: 0091CBCE
HKU, xrefs: 0091CBF0
HKEY_USERS, xrefs: 0091CBDF
HKEY_CLASSES_ROOT, xrefs: 0091CAF3, 0091CAF8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ac290968f3646a4b90f5715363c90e5db829b235ab604cfe340a24e6a5c56997
Instruction ID: 5f11c8b97a21faa24205c1577a50a044a91b56d019108500f3e60ded3e626a51
Opcode Fuzzy Hash: ac290968f3646a4b90f5715363c90e5db829b235ab604cfe340a24e6a5c56997
Instruction Fuzzy Hash: AF7102B278412E8BCB20DEAC99415FF3399AF60750B250528FC66E7285E634CEC4C3A1

Function 0092833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092835A
_wcslen.LIBCMT ref: 0092836E
_wcslen.LIBCMT ref: 00928391
_wcslen.LIBCMT ref: 009283B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009283F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0092361A,?), ref: 0092844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00928487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009284CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00928501
FreeLibrary.KERNEL32(?), ref: 0092850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0092851D
DestroyIcon.USER32(?), ref: 0092852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00928549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00928555

Strings

.exe, xrefs: 00928388
.dll, xrefs: 009283AB
.icl, xrefs: 00928368

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a6b6308bf68d99e959a0c7f80cbc4940a70b10633db3d9146b022fe30b25f5cc
Instruction ID: 1a150d607e0e99131ebd882663a1d5f2aa23efc7a76d8f7f58d20cb674d40e3a
Opcode Fuzzy Hash: a6b6308bf68d99e959a0c7f80cbc4940a70b10633db3d9146b022fe30b25f5cc
Instruction Fuzzy Hash: 7261CDB1514225BAEB24DB64EC42FBF77ACFF08B11F104509F815D61E1DB74AA80D7A0

Function 00897778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0089785F, 008978B1
#comments-end, xrefs: 008978D9
#requireadmin, xrefs: 008977FF
#cs, xrefs: 00897873, 008978C5
', xrefs: 008D5169
#ce, xrefs: 008978ED
", xrefs: 008D5153
#include, xrefs: 00897847
Cannot parse #include, xrefs: 008D5279
Unterminated group of comments, xrefs: 008D528C
#include-once, xrefs: 0089782F
#OnAutoItStartRegister, xrefs: 00897817
#notrayicon, xrefs: 008977E7
Bad directive syntax error, xrefs: 008D519A
#pragma compile, xrefs: 008977D3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 86bf633bb1512f411a3002ebcbe547c94128d16f2f43e1b563893c66984e45d5
Instruction ID: 0d75b6f5fcbd025d37724ca87dc5a30abf8feb1e8b6a047119b24522217bfed0
Opcode Fuzzy Hash: 86bf633bb1512f411a3002ebcbe547c94128d16f2f43e1b563893c66984e45d5
Instruction Fuzzy Hash: 97811671610205BBDF20BF68DC42FAE37A9FF55304F084026F904EA296EB70D911C792

Function 00903E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00903EF8
_wcslen.LIBCMT ref: 00903F03
_wcslen.LIBCMT ref: 00903F5A
_wcslen.LIBCMT ref: 00903F98
GetDriveTypeW.KERNEL32(?), ref: 00903FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0090401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00904059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00904087

Strings

type cdaudio alias cd wait, xrefs: 00904001
closed, xrefs: 00903F08, 00903F2D, 00903F46, 00903F7E, 00903F97
close, xrefs: 00903EFE, 00903F18
close cd wait, xrefs: 00904072
open , xrefs: 00903FE5
open, xrefs: 00903F54, 00903F59
wait, xrefs: 00904044
set cd door , xrefs: 00904028

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 6bf85bf7eead04c398aec3ba685a7f315c0a972ec95a4a1d49d3c0597817c059
Instruction ID: 01b81920c839b0c5e302fba9f0feaa2f6be6c9eb45d673df15b14dd3b8ad9ab6
Opcode Fuzzy Hash: 6bf85bf7eead04c398aec3ba685a7f315c0a972ec95a4a1d49d3c0597817c059
Instruction Fuzzy Hash: 0771C3726042029FC710EF29C88186AB7F8FF94758F44892DFA95D7291EB31DD49CB92

Function 008F5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 008F5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008F5A40
SetWindowTextW.USER32(?,?), ref: 008F5A57
GetDlgItem.USER32(?,000003EA), ref: 008F5A6C
SetWindowTextW.USER32(00000000,?), ref: 008F5A72
GetDlgItem.USER32(?,000003E9), ref: 008F5A82
SetWindowTextW.USER32(00000000,?), ref: 008F5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008F5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008F5AC3
GetWindowRect.USER32(?,?), ref: 008F5ACC
_wcslen.LIBCMT ref: 008F5B33
SetWindowTextW.USER32(?,?), ref: 008F5B6F
GetDesktopWindow.USER32 ref: 008F5B75
GetWindowRect.USER32(00000000), ref: 008F5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008F5BD3
GetClientRect.USER32(?,?), ref: 008F5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 008F5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008F5C2F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 400b6b9a59771327a1c361cbb33ce9148dcf448a82912c5d589fce6643a3d877
Instruction ID: 027f927f3aedcbec47dc18534339ade6e1164135eaa46213bafcdb2ba8e01b2e
Opcode Fuzzy Hash: 400b6b9a59771327a1c361cbb33ce9148dcf448a82912c5d589fce6643a3d877
Instruction Fuzzy Hash: 8B717C71900B09AFDB20DFB8CE89AAEBBF5FF48714F104918E642E25A0D775E944DB50

Function 0090FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0090FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0090FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0090FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0090FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0090FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0090FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0090FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0090FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0090FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0090FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0090FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0090FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0090FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0090FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0090FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0090FECC
GetCursorInfo.USER32(?), ref: 0090FEDC
GetLastError.KERNEL32 ref: 0090FF1E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: e8d9bc88d9980066217ac6da7e0e1cdb427f7b1c37eb349e582c5e8b0185612c
Instruction ID: 81baf36202fa9cb68e66fec38c45e5f2a1343b9a492db8dd19307e8c209375af
Opcode Fuzzy Hash: e8d9bc88d9980066217ac6da7e0e1cdb427f7b1c37eb349e582c5e8b0185612c
Instruction Fuzzy Hash: FE4124B0D0831A6EDB20DFBA8C8585EBFE8FF04754B54452AE11DE7681DB78A901CE91

Function 008B00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008B00C6

Part of subcall function 008B00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0096070C,00000FA0,047C1EF9,?,?,?,?,008D23B3,000000FF), ref: 008B011C
Part of subcall function 008B00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008D23B3,000000FF), ref: 008B0127
Part of subcall function 008B00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008D23B3,000000FF), ref: 008B0138
Part of subcall function 008B00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008B014E
Part of subcall function 008B00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008B015C
Part of subcall function 008B00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008B016A
Part of subcall function 008B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008B0195
Part of subcall function 008B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008B01A0

___scrt_fastfail.LIBCMT ref: 008B00E7

Part of subcall function 008B00A3: __onexit.LIBCMT ref: 008B00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 008B0122
InitializeConditionVariable, xrefs: 008B0148
SleepConditionVariableCS, xrefs: 008B0154
kernel32.dll, xrefs: 008B0133
WakeAllConditionVariable, xrefs: 008B0162

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 11d064739a0c6e0695680c60dc5d59ba7604917685a10e1e62206854ac734a2e
Instruction ID: a09372293641f23204d03a27e1c9ba25eb601ea3e35ee715373768b483376e57
Opcode Fuzzy Hash: 11d064739a0c6e0695680c60dc5d59ba7604917685a10e1e62206854ac734a2e
Instruction Fuzzy Hash: 5B213872A5C7116FE7246BA8AC46BAF33A4FB85B55F000539F901E73D2DBB09C009E91

Function 008F30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008F318D
_wcslen.LIBCMT ref: 008F31F8

Strings

NAME, xrefs: 008F3335, 008F3346
TEXT, xrefs: 008F347C
CLASSNN, xrefs: 008F31F3, 008F3204
REGEXPCLASS, xrefs: 008F3255, 008F3266
INSTANCE, xrefs: 008F3453
CLASS, xrefs: 008F3188, 008F31A5

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 4396c42767ef1b9ab9ad895d2779f8f66fa55ea78c503fcbf092cb4dfc1e90c5
Instruction ID: 59a2f8f0fc1a7f0d61cc5cfecd575cdba3a9e972c4962071f472faf3dedca110
Opcode Fuzzy Hash: 4396c42767ef1b9ab9ad895d2779f8f66fa55ea78c503fcbf092cb4dfc1e90c5
Instruction Fuzzy Hash: 03E1D732A0061EABCB24DFB8C4516FEBBB4FF54714F548119EA56F7241DB30AE858790

Function 009044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0092CC08), ref: 00904527
_wcslen.LIBCMT ref: 0090453B
_wcslen.LIBCMT ref: 00904599
_wcslen.LIBCMT ref: 009045F4
_wcslen.LIBCMT ref: 0090463F
_wcslen.LIBCMT ref: 009046A7

Part of subcall function 008AF9F2: _wcslen.LIBCMT ref: 008AF9FD

GetDriveTypeW.KERNEL32(?,00956BF0,00000061), ref: 00904743

Strings

network, xrefs: 0090469D, 009046A2
cdrom, xrefs: 0090458F, 00904594
fixed, xrefs: 00904635, 0090463A
all, xrefs: 00904531, 00904536
ramdisk, xrefs: 009046F1
removable, xrefs: 009045EA, 009045EF
unknown, xrefs: 00904708

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ce5ff6729f6efbcc60a076c76038ec6007039c9c267e8913c8acd159ebc1937e
Instruction ID: 6597a32d29ead5a4147cf1bc1a05e3b0a5012d44e4c81428e8e1a9778f04b48c
Opcode Fuzzy Hash: ce5ff6729f6efbcc60a076c76038ec6007039c9c267e8913c8acd159ebc1937e
Instruction Fuzzy Hash: 08B1EFB16083029FC710EF28C891A6AB7E9FFA5720F54491DF696C72D1E731D844CB92

Function 00913FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0092CC08), ref: 009140BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009140CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0092CC08), ref: 009140F2
FreeLibrary.KERNEL32(00000000,?,0092CC08), ref: 0091413E
StringFromGUID2.OLE32(?,?,00000028,?,0092CC08), ref: 009141A8
SysFreeString.OLEAUT32(00000009), ref: 00914262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009142C8
SysFreeString.OLEAUT32(?), ref: 009142F2

Strings

GetModuleHandleExW, xrefs: 009140C7
kernel32.dll, xrefs: 009140B6

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 4f434b316393a81eb0956a0f46a052b684dab0307ee1475a2d40e80daeba9a16
Instruction ID: 64030f1247bdab1256b9df2f9f74f992bbadf8f32eb2ea26f78cc4cb89a7d59d
Opcode Fuzzy Hash: 4f434b316393a81eb0956a0f46a052b684dab0307ee1475a2d40e80daeba9a16
Instruction Fuzzy Hash: 7C125E75A00119EFDB14DF54C884EAEB7B9FF49318F248498F905AB261D731ED86CBA0

Function 0089326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00961990), ref: 008D2F8D
GetMenuItemCount.USER32(00961990), ref: 008D303D
GetCursorPos.USER32(?), ref: 008D3081
SetForegroundWindow.USER32(00000000), ref: 008D308A
TrackPopupMenuEx.USER32(00961990,00000000,?,00000000,00000000,00000000), ref: 008D309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008D30A9

Strings

0, xrefs: 0089327D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5322262e484b43d362bb6df72b2115858d2d6e3882e901223646b2e487091840
Instruction ID: 8df3f269f2580d52e1027245433edefff3d9c534152fdd734ad26f62ad8a2a93
Opcode Fuzzy Hash: 5322262e484b43d362bb6df72b2115858d2d6e3882e901223646b2e487091840
Instruction Fuzzy Hash: EA710571644209BAEB319B68CC49FAABF64FF55324F240216F514EA2E0C7B1A910DB91

Function 00926CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00926DEB

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00926E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00926E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00926E94
DestroyWindow.USER32(?), ref: 00926EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00890000,00000000), ref: 00926EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00926EFD
GetDesktopWindow.USER32 ref: 00926F16
GetWindowRect.USER32(00000000), ref: 00926F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00926F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00926F4D

Part of subcall function 008A9944: GetWindowLongW.USER32(?,000000EB), ref: 008A9952

Strings

tooltips_class32, xrefs: 00926E58, 00926EDD
0, xrefs: 00926D98

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 6ffb20eabf36a534808c6fe94aaf20030868ac6b2ba9f8c848477d4b7d1f61ad
Instruction ID: 134e74ff17452cfc44fb843a41eaa22dab59fcd847380df93b88ea61747ae6c4
Opcode Fuzzy Hash: 6ffb20eabf36a534808c6fe94aaf20030868ac6b2ba9f8c848477d4b7d1f61ad
Instruction Fuzzy Hash: 977168B4108245AFDB21DF18EC44FAABBF9FB89304F18081DF98997661D770A916DF12

Function 0092911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

DragQueryPoint.SHELL32(?,?), ref: 00929147

Part of subcall function 00927674: ClientToScreen.USER32(?,?), ref: 0092769A
Part of subcall function 00927674: GetWindowRect.USER32(?,?), ref: 00927710
Part of subcall function 00927674: PtInRect.USER32(?,?,00928B89), ref: 00927720

SendMessageW.USER32(?,000000B0,?,?), ref: 009291B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009291BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009291DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00929225
SendMessageW.USER32(?,000000B0,?,?), ref: 0092923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00929255
SendMessageW.USER32(?,000000B1,?,?), ref: 00929277
DragFinish.SHELL32(?), ref: 0092927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00929371

Strings

@GUI_DRAGID, xrefs: 009292E9
@GUI_DROPID, xrefs: 0092929E
@GUI_DRAGFILE, xrefs: 00929320

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: db9aa252ba815a9401998ef746d5222526415c2f775deda39c95b5546aacb481
Instruction ID: 612fa7255f85b01a366ebb03e90958835683291048eb2e2d79b4e8292f21e72f
Opcode Fuzzy Hash: db9aa252ba815a9401998ef746d5222526415c2f775deda39c95b5546aacb481
Instruction Fuzzy Hash: 31614771108301AFC715EF68DC85DAFBBE8FF89750F04092EF595921A1DB709A49CBA2

Function 0090C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0090C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0090C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0090C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0090C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0090C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0090C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0090C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0090C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0090C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0090C5F0
InternetCloseHandle.WININET(00000000), ref: 0090C5FB

Strings

, xrefs: 0090C575

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: c757150d21291f4e45d547cdf4f57ef06ca0ba8f0d1e86424bb4ee78aeebd60b
Instruction ID: 26b17c8f926a336a4190753c0810a4ba097d85d72b5b7157e440c4eed2735d58
Opcode Fuzzy Hash: c757150d21291f4e45d547cdf4f57ef06ca0ba8f0d1e86424bb4ee78aeebd60b
Instruction Fuzzy Hash: 93515AF4504609BFDB219F60CD88AAB7BBCFF08754F004619F94596290DB34E945ABA0

Function 0092856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00928592
GetFileSize.KERNEL32(00000000,00000000), ref: 009285A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 009285AD
CloseHandle.KERNEL32(00000000), ref: 009285BA
GlobalLock.KERNEL32(00000000), ref: 009285C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 009285D7
GlobalUnlock.KERNEL32(00000000), ref: 009285E0
CloseHandle.KERNEL32(00000000), ref: 009285E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 009285F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0092FC38,?), ref: 00928611
GlobalFree.KERNEL32(00000000), ref: 00928621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00928641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00928671
DeleteObject.GDI32(00000000), ref: 00928699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009286AF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 48a8f571b638fc57e619e91d6ef9ca7a3f80f3bffc80784e3598220c7a0f8e9f
Instruction ID: 1721ac766a38eeac7c78c9de9f56c92e3ae315003c3b5913ba33ea99fe75d8bc
Opcode Fuzzy Hash: 48a8f571b638fc57e619e91d6ef9ca7a3f80f3bffc80784e3598220c7a0f8e9f
Instruction Fuzzy Hash: D24129B5605214AFDB21DFA5DC48EAF7BBCEF89715F104058F915E7260DB30A902DB60

Function 009014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00901502
VariantCopy.OLEAUT32(?,?), ref: 0090150B
VariantClear.OLEAUT32(?), ref: 00901517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009015FB
VarR8FromDec.OLEAUT32(?,?), ref: 00901657
VariantInit.OLEAUT32(?), ref: 00901708
SysFreeString.OLEAUT32(?), ref: 0090178C
VariantClear.OLEAUT32(?), ref: 009017D8
VariantClear.OLEAUT32(?), ref: 009017E7
VariantInit.OLEAUT32(00000000), ref: 00901823

Strings

Default, xrefs: 009016AF
%4d%02d%02d%02d%02d%02d, xrefs: 00901625

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 12add9a2d423a1741093e4f9918a937331f6f9ddaa0101871d3187388d85ebee
Instruction ID: f90d61c670022697872ba936d62584c7bd5801eb7d19a1cdc0314fe7276b2926
Opcode Fuzzy Hash: 12add9a2d423a1741093e4f9918a937331f6f9ddaa0101871d3187388d85ebee
Instruction Fuzzy Hash: 69D1ED71A00205DFEB10AFA9E885B6DB7B9FF45700F14845AF406AF5D1DB34E841EBA2

Function 0091B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 0091C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0091B6AE,?,?), ref: 0091C9B5
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091C9F1
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA68
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0091B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0091B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0091B80A
RegCloseKey.ADVAPI32(?), ref: 0091B87E
RegCloseKey.ADVAPI32(?), ref: 0091B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0091B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0091B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0091B922
FreeLibrary.KERNEL32(00000000), ref: 0091B983
RegCloseKey.ADVAPI32(00000000), ref: 0091B994

Strings

advapi32.dll, xrefs: 0091B8ED
RegDeleteKeyExW, xrefs: 0091B8FE

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: a0812b47da977a0a4b1bc42017614de316a8ff77f0e9a0c42eed541909365e91
Instruction ID: 5e3629db2249386a3221d41a460348e938091e0fff1d3adebb8a8cf1e0472fa6
Opcode Fuzzy Hash: a0812b47da977a0a4b1bc42017614de316a8ff77f0e9a0c42eed541909365e91
Instruction Fuzzy Hash: 86C19331208205AFD714DF18C495F6ABBE5FF84318F18845CF4598B2A2CB75ED86CB92

Function 0091255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009125D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009125E8
CreateCompatibleDC.GDI32(?), ref: 009125F4
SelectObject.GDI32(00000000,?), ref: 00912601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0091266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009126AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009126D0
SelectObject.GDI32(?,?), ref: 009126D8
DeleteObject.GDI32(?), ref: 009126E1
DeleteDC.GDI32(?), ref: 009126E8
ReleaseDC.USER32(00000000,?), ref: 009126F3

Strings

(, xrefs: 0091268D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 9f256d04f3b71a3293f1c780d9e37c3db2c2610705c058c4cbfc9eb50f9040b9
Instruction ID: fab7493158b5d5f40d5cdf84bfc635e4e68d0897885aae7403c48c4f22ff7cbe
Opcode Fuzzy Hash: 9f256d04f3b71a3293f1c780d9e37c3db2c2610705c058c4cbfc9eb50f9040b9
Instruction Fuzzy Hash: 696124B5E00219EFCF14DFA8C884AAEBBF5FF48300F20842AE955A7250D730A951DF90

Function 008CDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008CDAA1

Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD659
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD66B
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD67D
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD68F
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6A1
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6B3
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6C5
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6D7
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6E9
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6FB
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD70D
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD71F
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD731

_free.LIBCMT ref: 008CDA96

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008CDAB8
_free.LIBCMT ref: 008CDACD
_free.LIBCMT ref: 008CDAD8
_free.LIBCMT ref: 008CDAFA
_free.LIBCMT ref: 008CDB0D
_free.LIBCMT ref: 008CDB1B
_free.LIBCMT ref: 008CDB26
_free.LIBCMT ref: 008CDB5E
_free.LIBCMT ref: 008CDB65
_free.LIBCMT ref: 008CDB82
_free.LIBCMT ref: 008CDB9A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 51666cde5c20e825158e4b85a718ea6d54c49a7dcd7614b53d3ac4692ad43481
Instruction ID: a5bcbabbe0bf8d22c350414f9e0d3a63147751a398206b7e213e64f3b44b27d2
Opcode Fuzzy Hash: 51666cde5c20e825158e4b85a718ea6d54c49a7dcd7614b53d3ac4692ad43481
Instruction Fuzzy Hash: 463116726047059FEB22BA39E845F5ABBF9FF10361F15842DE449D7192DA31EC84CB21

Function 008F365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008F369C
_wcslen.LIBCMT ref: 008F36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008F3797
GetClassNameW.USER32(?,?,00000400), ref: 008F380C
GetDlgCtrlID.USER32(?), ref: 008F385D
GetWindowRect.USER32(?,?), ref: 008F3882
GetParent.USER32(?), ref: 008F38A0
ScreenToClient.USER32(00000000), ref: 008F38A7
GetClassNameW.USER32(?,?,00000100), ref: 008F3921
GetWindowTextW.USER32(?,?,00000400), ref: 008F395D

Strings

%s%u, xrefs: 008F3734

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2e95c1220fbd6d3e33711183c995f07568f55faed9d7aaa39a8c8fa216cb390a
Instruction ID: 0b17a7deaad95e3e56a53c8ebcdfb61eab94f0538aaced37cbeab6a0e52ef008
Opcode Fuzzy Hash: 2e95c1220fbd6d3e33711183c995f07568f55faed9d7aaa39a8c8fa216cb390a
Instruction Fuzzy Hash: C291D27120460AAFD718DF34C885BFAF7A8FF44354F008629FA99D2190DB74EA46CB91

Function 008F4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 008F4994
GetWindowTextW.USER32(?,?,00000400), ref: 008F49DA
_wcslen.LIBCMT ref: 008F49EB
CharUpperBuffW.USER32(?,00000000), ref: 008F49F7
_wcsstr.LIBVCRUNTIME ref: 008F4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 008F4A64
GetWindowTextW.USER32(?,?,00000400), ref: 008F4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 008F4AE6
GetClassNameW.USER32(?,?,00000400), ref: 008F4B20
GetWindowRect.USER32(?,?), ref: 008F4B8B

Strings

ThumbnailClass, xrefs: 008F4A6F, 008F4AF1

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 17142e4e9d0999907251aaff9f969d8502496d7bbb5a8e97b5f069f6b0300c0f
Instruction ID: a8bda7ab5d510cf104eabde8e7329c91a6d9d4caa9cc6f6bbf26da947c9a4810
Opcode Fuzzy Hash: 17142e4e9d0999907251aaff9f969d8502496d7bbb5a8e97b5f069f6b0300c0f
Instruction Fuzzy Hash: 14919E7110820A9FDB04DF68C985BBB77A8FF84314F04546AFE85DA196DB30ED45CBA2

Function 008FBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00961990,000000FF,00000000,00000030), ref: 008FBFAC
SetMenuItemInfoW.USER32(00961990,00000004,00000000,00000030), ref: 008FBFE1
Sleep.KERNEL32(000001F4), ref: 008FBFF3
GetMenuItemCount.USER32(?), ref: 008FC039
GetMenuItemID.USER32(?,00000000), ref: 008FC056
GetMenuItemID.USER32(?,-00000001), ref: 008FC082
GetMenuItemID.USER32(?,?), ref: 008FC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008FC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008FC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008FC145

Strings

0, xrefs: 008FBF3D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 05a9c9242013aa24afd3bb5dec0f3560abb80a98753b24c5a07f31fea172c1e1
Instruction ID: 8848b8c916d710df1abbe444cd5c2eb10d8081ab130ad060536fcdd3a87893d4
Opcode Fuzzy Hash: 05a9c9242013aa24afd3bb5dec0f3560abb80a98753b24c5a07f31fea172c1e1
Instruction Fuzzy Hash: BB617CB091424EAFDB25CF68CE88EBE7BA8FB45344F040115FA11E3291CB31AE55DB61

Function 0091CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0091CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0091CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0091CD48

Part of subcall function 0091CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0091CCAA
Part of subcall function 0091CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0091CCBD
Part of subcall function 0091CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0091CCCF
Part of subcall function 0091CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0091CD05
Part of subcall function 0091CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0091CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0091CCF3

Strings

advapi32.dll, xrefs: 0091CCB8
RegDeleteKeyExW, xrefs: 0091CCC9

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f47b0e006fca1e1abee4361665562402774e1a78f7bede7e799cd7998e39a4de
Instruction ID: 7ab21cb55a26f3840793506fdfa9a3ff2531cba8d40758b6bb2a8227d4343d55
Opcode Fuzzy Hash: f47b0e006fca1e1abee4361665562402774e1a78f7bede7e799cd7998e39a4de
Instruction Fuzzy Hash: BA319EB5A8512CBBDB218B51DC88EFFBB7CEF45740F000465A905E2241DA748E86EAA0

Function 00903D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00903D40
_wcslen.LIBCMT ref: 00903D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00903D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00903DBE
RemoveDirectoryW.KERNEL32(?), ref: 00903DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00903E55
CloseHandle.KERNEL32(00000000), ref: 00903E60
CloseHandle.KERNEL32(00000000), ref: 00903E6B

Strings

:, xrefs: 00903D82
\??\%s, xrefs: 00903D5B
\, xrefs: 00903D77

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: ab57eeba03dcb80ea0618e1ffc7af44b8fa7c57f53f42e97e134d38eafc0e716
Instruction ID: e1f1b64db6ea0abd1bdc1bbdf7d4f924b4a89c921c4103ce60526cc4ec6f83a7
Opcode Fuzzy Hash: ab57eeba03dcb80ea0618e1ffc7af44b8fa7c57f53f42e97e134d38eafc0e716
Instruction Fuzzy Hash: 2B31B2B1914209ABDB21DBA4DC49FEF37BCEF88700F1081B6F519D61A0EB7497458B24

Function 008FE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008FE6B4

Part of subcall function 008AE551: timeGetTime.WINMM(?,?,008FE6D4), ref: 008AE555

Sleep.KERNEL32(0000000A), ref: 008FE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 008FE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008FE727
SetActiveWindow.USER32 ref: 008FE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008FE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 008FE773
Sleep.KERNEL32(000000FA), ref: 008FE77E
IsWindow.USER32 ref: 008FE78A
EndDialog.USER32(00000000), ref: 008FE79B

Strings

BUTTON, xrefs: 008FE719

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 135f77061f52dc9c8db790df048fa86dc6684220b0ce587116f2ad038dd8b49e
Instruction ID: fe919c4abdee0798c3b4fc176df5d214b3a1b87d39d1ead54f69cf11074cb547
Opcode Fuzzy Hash: 135f77061f52dc9c8db790df048fa86dc6684220b0ce587116f2ad038dd8b49e
Instruction Fuzzy Hash: 232165B022860DAFEB205F75EC8DE3D3B69F754749B10042AF612C1171DBB59C11AB25

Function 008FE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008FEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008FEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008FEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008FEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008FEAA7

Strings

play PlayMe wait, xrefs: 008FEA91
status PlayMe mode, xrefs: 008FEA58
alias PlayMe, xrefs: 008FEA36
play PlayMe, xrefs: 008FEAA2
open , xrefs: 008FEA0C
close PlayMe, xrefs: 008FEA6E, 008FEA9B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: cfa9a451a30f5f62a4dbccee06ad5d5686b8ff69503288a749b4f8b8f11354af
Instruction ID: bc8d6cc179887939fc352e1af5cb11c44d0df0b58daadc5f69ca363dbfb0676e
Opcode Fuzzy Hash: cfa9a451a30f5f62a4dbccee06ad5d5686b8ff69503288a749b4f8b8f11354af
Instruction Fuzzy Hash: EC118F61A9022979DB20F7A6DC5ADFF6A7CFBE1F44F440429B901E20E0EA700909C6B1

Function 008F9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008FA012
SetKeyboardState.USER32(?), ref: 008FA07D
GetAsyncKeyState.USER32(000000A0), ref: 008FA09D
GetKeyState.USER32(000000A0), ref: 008FA0B4
GetAsyncKeyState.USER32(000000A1), ref: 008FA0E3
GetKeyState.USER32(000000A1), ref: 008FA0F4
GetAsyncKeyState.USER32(00000011), ref: 008FA120
GetKeyState.USER32(00000011), ref: 008FA12E
GetAsyncKeyState.USER32(00000012), ref: 008FA157
GetKeyState.USER32(00000012), ref: 008FA165
GetAsyncKeyState.USER32(0000005B), ref: 008FA18E
GetKeyState.USER32(0000005B), ref: 008FA19C

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 57478b92f1f8597ecde9bf8c969b6dc9e113867efa8918b9177bc485cfb34eea
Instruction ID: b314b1c41ef38e0f061d82c72f37d6e85c354dc8714cadbbac554eacf9554a41
Opcode Fuzzy Hash: 57478b92f1f8597ecde9bf8c969b6dc9e113867efa8918b9177bc485cfb34eea
Instruction Fuzzy Hash: 5551D96090478C29FB39DB7484147FABFB4EF12390F088599D6C6D71C2DA64AA8CC763

Function 008F5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008F5CE2
GetWindowRect.USER32(00000000,?), ref: 008F5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008F5D59
GetDlgItem.USER32(?,00000002), ref: 008F5D69
GetWindowRect.USER32(00000000,?), ref: 008F5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008F5DCF
GetDlgItem.USER32(?,000003E9), ref: 008F5DDD
GetWindowRect.USER32(00000000,?), ref: 008F5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008F5E31
GetDlgItem.USER32(?,000003EA), ref: 008F5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008F5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 008F5E67

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e62a5cde89405bc482db469322debf5a10c7deada663124a92866e1e6ef54110
Instruction ID: 33f896137c4551927902fc8b25d21b8465e75216bad49ea46c28bce940149f4d
Opcode Fuzzy Hash: e62a5cde89405bc482db469322debf5a10c7deada663124a92866e1e6ef54110
Instruction Fuzzy Hash: 2951FEB1A10609AFDF18DF68DD89AAEBBB9FB48300F148129F615E6690D7709E05CB50

Function 008A8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008A8BE8,?,00000000,?,?,?,?,008A8BBA,00000000,?), ref: 008A8FC5

DestroyWindow.USER32(?), ref: 008A8C81
KillTimer.USER32(00000000,?,?,?,?,008A8BBA,00000000,?), ref: 008A8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 008E6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008A8BBA,00000000,?), ref: 008E69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008A8BBA,00000000,?), ref: 008E69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008A8BBA,00000000), ref: 008E69D4
DeleteObject.GDI32(00000000), ref: 008E69E6

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fd3fae47b4e33df176ca04a2a60d1db0f26da12034d6ce59e798a7bf1ed8e893
Instruction ID: 1025f6fa6bf773cd0392724bbd0447d793e8ef8d3ea4b4846ce15a0b0caaa7a9
Opcode Fuzzy Hash: fd3fae47b4e33df176ca04a2a60d1db0f26da12034d6ce59e798a7bf1ed8e893
Instruction Fuzzy Hash: 4361DB30416640DFEB359F19D948B29BBF1FB52326F18452CE042DB960CB71ACA1EFA0

Function 008A9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 008A9944: GetWindowLongW.USER32(?,000000EB), ref: 008A9952

GetSysColor.USER32(0000000F), ref: 008A9862

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3261611dc767e740a882813f35cdd127847cd6b4e873f0ed8149838aa635c0ea
Instruction ID: b0525c8b400e36eeaff09570d5801ea9af767bb18b3dc8a5f189e5089fa8bc4b
Opcode Fuzzy Hash: 3261611dc767e740a882813f35cdd127847cd6b4e873f0ed8149838aa635c0ea
Instruction Fuzzy Hash: C8418E7110C644AAEB305F389C85BB93B65FB07320F144655FAE2C71E2C6799C42EB11

Function 008F96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,008DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 008F9717
LoadStringW.USER32(00000000,?,008DF7F8,00000001), ref: 008F9720

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,008DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 008F9742
LoadStringW.USER32(00000000,?,008DF7F8,00000001), ref: 008F9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 008F9866

Strings

Line %d (File "%s"):, xrefs: 008F978F
Error: , xrefs: 008F981D
%s (%d) : ==> %s: %s %s, xrefs: 008F984A
^ ERROR, xrefs: 008F97FB
Line %d:, xrefs: 008F97A0

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 858b57cbca155b200a9f5cf98ccf212b32f62eaa1bb02762fa183bd8f3a9c338
Instruction ID: 458ee819098eab01443b13b9d5dfb6fcb97f8abb783822d13e276e0d95063b65
Opcode Fuzzy Hash: 858b57cbca155b200a9f5cf98ccf212b32f62eaa1bb02762fa183bd8f3a9c338
Instruction Fuzzy Hash: B9413A72804209AACF04FBE8DD46EEE7778FF55344F540029F605B2192EB256F48DB62

Function 008F06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008F07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008F07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008F07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008F0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 008F082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008F0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008F083C

Strings

\IPC$, xrefs: 008F0784
\CLSID, xrefs: 008F0724
SOFTWARE\Classes\, xrefs: 008F070E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: bcf731b97c28837902d36f6cc231c3feafceb3f00c7d1f2909df871ab892b52f
Instruction ID: 160c31724674f7f70eedfd3633cf0b95242b32a3e19341d61f2b422c31200d2d
Opcode Fuzzy Hash: bcf731b97c28837902d36f6cc231c3feafceb3f00c7d1f2909df871ab892b52f
Instruction Fuzzy Hash: BD410772C10229AFCF25EBA8DC958EEB778FF44350F494169E911A3161EB309E04CF91

Function 00923F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0092403B
CreateCompatibleDC.GDI32(00000000), ref: 00924042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00924055
SelectObject.GDI32(00000000,00000000), ref: 0092405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00924068
DeleteDC.GDI32(00000000), ref: 00924072
GetWindowLongW.USER32(?,000000EC), ref: 0092407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00924092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0092409E

Strings

static, xrefs: 00923FD3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f7c5c4edce0dd7836c43c1e979b3a8c531f31989dcafc03d904c9fc2a07a4a6b
Instruction ID: 24f408aa00858a59156bc467bdbab2d17d472e505f99e964a31366d6bd597acd
Opcode Fuzzy Hash: f7c5c4edce0dd7836c43c1e979b3a8c531f31989dcafc03d904c9fc2a07a4a6b
Instruction Fuzzy Hash: C2317A72555225BBDF219FA4EC09FDE3B68EF0D724F100210FA18A61A0C775D861EB94

Function 00913C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00913C5C
CoInitialize.OLE32(00000000), ref: 00913C8A
CoUninitialize.OLE32 ref: 00913C94
_wcslen.LIBCMT ref: 00913D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00913DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00913ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00913F0E
CoGetObject.OLE32(?,00000000,0092FB98,?), ref: 00913F2D
SetErrorMode.KERNEL32(00000000), ref: 00913F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00913FC4
VariantClear.OLEAUT32(?), ref: 00913FD8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: b700c01d7a3421195cfb03cd59f32837087286866abea872a1ee5c684d301413
Instruction ID: 9ca5add3afe135ba0377b621021bd2d0c848c6adb2a335b38f1c734e27f3e761
Opcode Fuzzy Hash: b700c01d7a3421195cfb03cd59f32837087286866abea872a1ee5c684d301413
Instruction Fuzzy Hash: CBC132716083099FD710DF28C88496ABBF9FF89744F04891DF98A9B251D730EE46CB92

Function 00907A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00907AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00907B8F
SHGetDesktopFolder.SHELL32(?), ref: 00907BA3
CoCreateInstance.OLE32(0092FD08,00000000,00000001,00956E6C,?), ref: 00907BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00907C74
CoTaskMemFree.OLE32(?,?), ref: 00907CCC
SHBrowseForFolderW.SHELL32(?), ref: 00907D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00907D7A
CoTaskMemFree.OLE32(00000000), ref: 00907D81
CoTaskMemFree.OLE32(00000000), ref: 00907DD6
CoUninitialize.OLE32 ref: 00907DDC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 746e143c715a4516f84948b5511e3d90876bfdbfc959078611b04be9019c67a8
Instruction ID: 43005c5a5adc49e86153d69b9b7d094714d01348d74c6d89661f19a679750bdb
Opcode Fuzzy Hash: 746e143c715a4516f84948b5511e3d90876bfdbfc959078611b04be9019c67a8
Instruction Fuzzy Hash: 25C1F875A04119AFDB14DFA8C884DAEBBB9FF48314B148499E819DB3A1D730EE45CB90

Function 0092541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00925504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00925515
CharNextW.USER32(00000158), ref: 00925544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00925585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0092559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009255AC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: faa4391109080b7558ed2ef5dca9144bfd11328bdeeb47c8d8e4d15de0f2c342
Instruction ID: 8912759dd538191e415b500e1338f5f0942b73f6c4e2301283d948741f403d02
Opcode Fuzzy Hash: faa4391109080b7558ed2ef5dca9144bfd11328bdeeb47c8d8e4d15de0f2c342
Instruction Fuzzy Hash: 2E61DF74904629EFDF209F94EC84EFE7BB9EF09320F118005F925A72A4C7748A81DB60

Function 008EFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008EFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 008EFB08
VariantInit.OLEAUT32(?), ref: 008EFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 008EFB3A
VariantCopy.OLEAUT32(?,?), ref: 008EFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 008EFBA1
VariantClear.OLEAUT32(?), ref: 008EFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 008EFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008EFBCC
VariantClear.OLEAUT32(?), ref: 008EFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008EFBE9

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bdd00370c82f0139871c43b7fa7c4053d07beff8500fd2eb70fb327bb88ce269
Instruction ID: b452d33075a5a4fbf61f7b713ae16623375bc25ccc1120cc27663b9ef0d6de99
Opcode Fuzzy Hash: bdd00370c82f0139871c43b7fa7c4053d07beff8500fd2eb70fb327bb88ce269
Instruction Fuzzy Hash: 9E417275A14219AFCF10EF69CC549AEBBB9FF48354F008065E905E7261CB30A946CF91

Function 008F9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008F9CA1
GetAsyncKeyState.USER32(000000A0), ref: 008F9D22
GetKeyState.USER32(000000A0), ref: 008F9D3D
GetAsyncKeyState.USER32(000000A1), ref: 008F9D57
GetKeyState.USER32(000000A1), ref: 008F9D6C
GetAsyncKeyState.USER32(00000011), ref: 008F9D84
GetKeyState.USER32(00000011), ref: 008F9D96
GetAsyncKeyState.USER32(00000012), ref: 008F9DAE
GetKeyState.USER32(00000012), ref: 008F9DC0
GetAsyncKeyState.USER32(0000005B), ref: 008F9DD8
GetKeyState.USER32(0000005B), ref: 008F9DEA

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4b054d7d19ed49f9d4ddc52fe5ae3eeba3664fe3a66c46d198bbb9c1aa914c3a
Instruction ID: b1e31a8254a4f3b41dbfc224c4d168a37a53453aa3636a5e70a652ae0490932e
Opcode Fuzzy Hash: 4b054d7d19ed49f9d4ddc52fe5ae3eeba3664fe3a66c46d198bbb9c1aa914c3a
Instruction Fuzzy Hash: F2419674508BCE6DFF31967488047B5BEA0FF12344F14805ADBC6D66C2DBA599C8C7A2

Function 0091055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009105BC
inet_addr.WSOCK32(?), ref: 0091061C
gethostbyname.WSOCK32(?), ref: 00910628
IcmpCreateFile.IPHLPAPI ref: 00910636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009106C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009106E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009107B9
WSACleanup.WSOCK32 ref: 009107BF

Strings

Ping, xrefs: 00910676

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 78e212df206ec4cd89265b652682f70557d92f8e2685c95c71f799c10a23e490
Instruction ID: 345ba1aceec5a4ce611e5b621697dcb8c2c9dfa9aac40d1bc9bc4c481d199239
Opcode Fuzzy Hash: 78e212df206ec4cd89265b652682f70557d92f8e2685c95c71f799c10a23e490
Instruction Fuzzy Hash: 7F918E756082019FD720DF19C889B5ABBE4FF84358F1485A9F4698B6A2C771EDC1CF81

Function 00918CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00918CF3

Part of subcall function 008F8E54: _wcslen.LIBCMT ref: 008F8E77

_wcslen.LIBCMT ref: 00918D4E
_wcslen.LIBCMT ref: 00918D9C
_wcslen.LIBCMT ref: 00918DDC
_wcslen.LIBCMT ref: 00918E6E

Strings

stdcall, xrefs: 00918DD6, 00918DDB
winapi, xrefs: 00918D96, 00918D9B
cdecl, xrefs: 00918D48, 00918D4D
none, xrefs: 00918E65, 00918E6A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 91c19d3c59f3ba85f6f8c9f1ed9d6693aa5efb25998cd23bf37d69d48f0c2d63
Instruction ID: 91599653dd77f16e83e7b23b3854aa2463c8aa8f8bcceb05fb9b9c001d87ca71
Opcode Fuzzy Hash: 91c19d3c59f3ba85f6f8c9f1ed9d6693aa5efb25998cd23bf37d69d48f0c2d63
Instruction Fuzzy Hash: FF519F31A0011A9ACF24EF6CC8409FFB7A9FF64324B244629E826E72C0DB30DD80D791

Function 0091372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00913774
CoUninitialize.OLE32 ref: 0091377F
CoCreateInstance.OLE32(?,00000000,00000017,0092FB78,?), ref: 009137D9
IIDFromString.OLE32(?,?), ref: 0091384C
VariantInit.OLEAUT32(?), ref: 009138E4
VariantClear.OLEAUT32(?), ref: 00913936

Strings

Failed to create object, xrefs: 009137E4, 0091389A
Invalid parameter, xrefs: 00913865
NULL Pointer assignment, xrefs: 0091381E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f2bea62d94136f9643a751e14201139544a5ad982d1a8a9e2f94135077fb78d3
Instruction ID: e4a4a84fc020c050fcb10c26e7a06c03e1f1a7bf9a8f811fe1184d6485d974b2
Opcode Fuzzy Hash: f2bea62d94136f9643a751e14201139544a5ad982d1a8a9e2f94135077fb78d3
Instruction Fuzzy Hash: B961A170708305AFD710DF64C844BAABBF8EF89714F108859F98597291D770EE88CB92

Function 00903388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009033CF

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009033F0

Strings

Incorrect parameters to object property !, xrefs: 009034AB
"%s" (%d) : ==> %s:, xrefs: 00903522
Line %d (File "%s"):, xrefs: 00903443, 0090345C
Error: , xrefs: 009034D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00903504
^ ERROR , xrefs: 0090349E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 4bfd5760f6f2dd5ca4b42fb63ee321004572f9ad86380c175dae583cc2038986
Instruction ID: 54889578e06040b6f6887671e7ce8d2f4d4a07e67785adb41c85dbd093ad9928
Opcode Fuzzy Hash: 4bfd5760f6f2dd5ca4b42fb63ee321004572f9ad86380c175dae583cc2038986
Instruction Fuzzy Hash: 9651A071900209AADF15FBA8DD42EEEB778FF04344F184169F505B21A2EB712F58DB62

Function 008FB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008FB5FC
_wcslen.LIBCMT ref: 008FB608
_wcslen.LIBCMT ref: 008FB64D
_wcslen.LIBCMT ref: 008FB68C
_wcslen.LIBCMT ref: 008FB6C7

Strings

APPEND, xrefs: 008FB6C1, 008FB6C6
EXISTS, xrefs: 008FB686, 008FB68B
KEYS, xrefs: 008FB647, 008FB64C
REMOVE, xrefs: 008FB602, 008FB607

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 1bd92da370f89fee3559ed51a2b56f8bece23703fb3d72b112fa844b1e1cfbd8
Instruction ID: 24f77bf97222ce75ad9c0643cdf2162781983005022172682c0fa499bec65fab
Opcode Fuzzy Hash: 1bd92da370f89fee3559ed51a2b56f8bece23703fb3d72b112fa844b1e1cfbd8
Instruction Fuzzy Hash: CA41B632A0012A9BCB20AF7DCC915BE7BA5FF74758B254129E661DB284F739CD81C790

Function 00905393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009053A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00905416
GetLastError.KERNEL32 ref: 00905420
SetErrorMode.KERNEL32(00000000,READY), ref: 009054A7

Strings

READY, xrefs: 00905460, 00905468
INVALID, xrefs: 00905459
READONLY, xrefs: 00905452
UNKNOWN, xrefs: 00905444
NOTREADY, xrefs: 0090544B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: da4c3bfed5a711c23c5e76e99d1afc5ee294804adc39cd6f49604244e0f9ee0a
Instruction ID: 6be1a06c143a1327fdc8bfd9b97c4f790a028ee560713a614ad3d098687267b9
Opcode Fuzzy Hash: da4c3bfed5a711c23c5e76e99d1afc5ee294804adc39cd6f49604244e0f9ee0a
Instruction Fuzzy Hash: E3319D75A006059FCB10DF69C885AEABBB8FF04305F598469E805CB2E2DB70DD86CF91

Function 00923C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00923C79
SetMenu.USER32(?,00000000), ref: 00923C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00923D10
IsMenu.USER32(?), ref: 00923D24
CreatePopupMenu.USER32 ref: 00923D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00923D5B
DrawMenuBar.USER32 ref: 00923D63

Strings

0, xrefs: 00923C54
F, xrefs: 00923D4E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 1ec1e780b395112e04b46e0ef9b523cac8e31a661f2978ddfbc77917528fe314
Instruction ID: 297245c810a2550667de25f0b16fb920cdb2725605654a7f8065c9a248c91587
Opcode Fuzzy Hash: 1ec1e780b395112e04b46e0ef9b523cac8e31a661f2978ddfbc77917528fe314
Instruction Fuzzy Hash: D04189B4A15219AFDB24CF64E844EAA7BB9FF49310F144028F946A73A0D774EA10DF90

Function 008F1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 008F1F64
GetDlgCtrlID.USER32 ref: 008F1F6F
GetParent.USER32 ref: 008F1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 008F1F8E
GetDlgCtrlID.USER32(?), ref: 008F1F97
GetParent.USER32(?), ref: 008F1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 008F1FAE

Strings

ListBox, xrefs: 008F1F21
ComboBox, xrefs: 008F1EEC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0dcd71f96a398b196dfd792797e8f57e7145e3d57edfc293e99edd2945dda3c7
Instruction ID: bcdbbad428739d3f99d46839d219dc7d38256b49c94c77b8be091eecdcd906c9
Opcode Fuzzy Hash: 0dcd71f96a398b196dfd792797e8f57e7145e3d57edfc293e99edd2945dda3c7
Instruction Fuzzy Hash: C421C270A00218BBCF14EFA5DC99DFEBBB8FF05314B000119FA61A72A1CB345909DB60

Function 008F1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 008F2043
GetDlgCtrlID.USER32 ref: 008F204E
GetParent.USER32 ref: 008F206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 008F206D
GetDlgCtrlID.USER32(?), ref: 008F2076
GetParent.USER32(?), ref: 008F208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 008F208D

Strings

ListBox, xrefs: 008F2002
ComboBox, xrefs: 008F1FCD

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8a02786bcff3d243a1cd3e50fbda5d8a7a25077cca505149c77265c93d8306f4
Instruction ID: 086438a16164c66f59701a31974f0019e8bfcbfb783499fcadfcbe8407f14ae4
Opcode Fuzzy Hash: 8a02786bcff3d243a1cd3e50fbda5d8a7a25077cca505149c77265c93d8306f4
Instruction Fuzzy Hash: 8E2192B5900218BBCF10AFB5CC45EFEBBB8FF45344F004015FA51A72A1DA755919DB61

Function 00923A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00923A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00923AA0
GetWindowLongW.USER32(?,000000F0), ref: 00923AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00923AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00923B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00923BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00923BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00923BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00923BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00923C13

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 112030f2a30385aef083143fe30366fb2e6a1b71ddf1793f9ba1b29f2ee791d9
Instruction ID: dd7d7ed9a464abb01b5636b75773747ee8c045ab8bb8e3202673613bce8d409a
Opcode Fuzzy Hash: 112030f2a30385aef083143fe30366fb2e6a1b71ddf1793f9ba1b29f2ee791d9
Instruction Fuzzy Hash: 38617875A00218AFDB10DFA8DC81EEE77B8EB49700F14419AFA55E72A1C774AE41DB50

Function 008FB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008FB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB165
GetWindowThreadProcessId.USER32(00000000), ref: 008FB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 008FB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB21D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 123f4c609440fc59c4bb001e71135dd8b0430e132d51f38dff0bf5448d9d6c24
Instruction ID: 402d0524fd1022cd08b92184510009b5ed05eb83b42b7c2f801a7a72ddd059fd
Opcode Fuzzy Hash: 123f4c609440fc59c4bb001e71135dd8b0430e132d51f38dff0bf5448d9d6c24
Instruction Fuzzy Hash: AF31ADB1528208BFEB209F74DC48BBD7BA9FB61391F108009FB01D6190D7B49E459FA4

Function 008C2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008C2C94

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008C2CA0
_free.LIBCMT ref: 008C2CAB
_free.LIBCMT ref: 008C2CB6
_free.LIBCMT ref: 008C2CC1
_free.LIBCMT ref: 008C2CCC
_free.LIBCMT ref: 008C2CD7
_free.LIBCMT ref: 008C2CE2
_free.LIBCMT ref: 008C2CED
_free.LIBCMT ref: 008C2CFB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a914d3e7c6fe58741ccb58ec5973b97af373b4062e703c5bf111f1af9fd8cdaa
Instruction ID: 44efd02d7a48ebfda3c8ba9c484c4a5f93dccae19e39a68b900f73ae2b80d4d5
Opcode Fuzzy Hash: a914d3e7c6fe58741ccb58ec5973b97af373b4062e703c5bf111f1af9fd8cdaa
Instruction Fuzzy Hash: 1911A476100108AFCB02EF58D882EDD3FB5FF05350F4144A9FA489F2A2DA31EE549B91

Function 00907DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00907FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00907FC1
GetFileAttributesW.KERNEL32(?), ref: 00907FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00908005
SetCurrentDirectoryW.KERNEL32(?), ref: 00908017
SetCurrentDirectoryW.KERNEL32(?), ref: 00908060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009080B0

Strings

*.*, xrefs: 00908066

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 52bf7d7ed4a8ca194296bdcaf3355c54a3fcf8e6d7e15eb6bf1b952e5f461206
Instruction ID: a47f3ff0437cfa1a50e4d3cd6a9bb8835ba6c9fa3da0cdff0a7b2751670fbd84
Opcode Fuzzy Hash: 52bf7d7ed4a8ca194296bdcaf3355c54a3fcf8e6d7e15eb6bf1b952e5f461206
Instruction Fuzzy Hash: 188171729082459FCB20EF54C4449AEF7E8FF85320F544C6AF885D72A1EB35ED458B52

Function 00895BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00895C7A

Part of subcall function 00895D0A: GetClientRect.USER32(?,?), ref: 00895D30
Part of subcall function 00895D0A: GetWindowRect.USER32(?,?), ref: 00895D71
Part of subcall function 00895D0A: ScreenToClient.USER32(?,?), ref: 00895D99

GetDC.USER32 ref: 008D46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008D4708
SelectObject.GDI32(00000000,00000000), ref: 008D4716
SelectObject.GDI32(00000000,00000000), ref: 008D472B
ReleaseDC.USER32(?,00000000), ref: 008D4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008D47C4

Strings

U, xrefs: 008D4693

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 942bf70a074cb66d8ac384a4d4cef6154cb2e1351e0ad48432ad3a6d264a9c55
Instruction ID: bdb0eb8e32ee6b4b970927fe0846d82af1f0c5fb693089a10d533f37a831c259
Opcode Fuzzy Hash: 942bf70a074cb66d8ac384a4d4cef6154cb2e1351e0ad48432ad3a6d264a9c55
Instruction Fuzzy Hash: 3171E231404209DFCF219F64C984ABA7BB5FF4A368F18536AE956DA2A6C731CC41DF50

Function 0090359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009035E4

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

LoadStringW.USER32(00962390,?,00000FFF,?), ref: 0090360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00903742
Line %d (File "%s"):, xrefs: 0090366B
Error: , xrefs: 009036EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00903724
^ ERROR, xrefs: 009036C9

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 15e7ebc9e018f61de32bee3dbcd4751e5a2ddfacc25ff0c3a8e64dbc29463289
Instruction ID: d60ba9a409a506c0ef6bcd4fcbf5fe3e799f997b87ced9881b5e3e224345908a
Opcode Fuzzy Hash: 15e7ebc9e018f61de32bee3dbcd4751e5a2ddfacc25ff0c3a8e64dbc29463289
Instruction Fuzzy Hash: F0516F71800209BADF15FBA4DC42EEEBB38FF54304F084129F505B21A1EB711B99DBA2

Function 0090C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0090C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0090C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0090C2CA
GetLastError.KERNEL32 ref: 0090C322
SetEvent.KERNEL32(?), ref: 0090C336
InternetCloseHandle.WININET(00000000), ref: 0090C341

Strings

, xrefs: 0090C2BB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2bddb202dfc7735a62b60d5f7c3f7b5e446e24cf17321124b9196e66395d708f
Instruction ID: 02b86dd8b438f6edf2629612205e96fd490e87981a5fb455e718ea514ec2647f
Opcode Fuzzy Hash: 2bddb202dfc7735a62b60d5f7c3f7b5e446e24cf17321124b9196e66395d708f
Instruction Fuzzy Hash: C5314AF1614608AFD7219FA48C88AAF7BFCEB49744F14861EF446D2290DB34DD05ABA1

Function 008F989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008D3AAF,?,?,Bad directive syntax error,0092CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008F98BC
LoadStringW.USER32(00000000,?,008D3AAF,?), ref: 008F98C3

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008F9987

Strings

Line %d (File "%s"):, xrefs: 008F992D
., xrefs: 008F996D
Error: , xrefs: 008F9955
%s (%d) : ==> %s.: %s %s, xrefs: 008F98F1
Line %d:, xrefs: 008F9912

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b6b44f97512124582d1a5c00aa95c0f07861888ed38bb5d343d073a1fb342c91
Instruction ID: d76ce5f9376e9eee21f24cd39e9b140ff04cf3adce5ffa04eaee748110f59839
Opcode Fuzzy Hash: b6b44f97512124582d1a5c00aa95c0f07861888ed38bb5d343d073a1fb342c91
Instruction Fuzzy Hash: 8121943194421EABDF11EFA4CC06EFE7739FF14305F084469F615A20A2DB719618DB61

Function 008F209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008F20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008F20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008F214D

Strings

smallicons, xrefs: 008F2115
largeicons, xrefs: 008F20E1
details, xrefs: 008F20FB
list, xrefs: 008F212F
SHELLDLL_DefView, xrefs: 008F20CC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 971ce1bd5dec5a5b85a88bc6178152e59786cd9d99f12cb1911a13ed6eb05d96
Instruction ID: ea764708651f3d395dbd81eaffa746ee7e3504ad26583b7802dea9ae825babb8
Opcode Fuzzy Hash: 971ce1bd5dec5a5b85a88bc6178152e59786cd9d99f12cb1911a13ed6eb05d96
Instruction Fuzzy Hash: 4111367628870FB9FA116234DC1BDFA739CEF05329B211116FB04E40E2FE61B88A5619

Function 008C8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1930f311cb1090ef4d533f18cc5931a8f9cd6d04895b64e8bf03e1f3b625238f
Instruction ID: 1907beb348b25ef5941edf6eda437cdbcdc226532601e5b0e77c2d7759c6e0d4
Opcode Fuzzy Hash: 1930f311cb1090ef4d533f18cc5931a8f9cd6d04895b64e8bf03e1f3b625238f
Instruction Fuzzy Hash: 92C1BB74A04649AFDB219FA8D885FADBBB0FF49310F08409DE955E7392CB70D941CB62

Function 008CCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 008CCEB7
_free.LIBCMT ref: 008CCF22
_free.LIBCMT ref: 008CCF48
_free.LIBCMT ref: 008CCF71
_free.LIBCMT ref: 008CCFA9
_free.LIBCMT ref: 008CCFDA
_free.LIBCMT ref: 008CD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 008CD09C
_free.LIBCMT ref: 008CD0B5

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4f0d4df43ed8888378c2c6e248e2ee84bd777a56e5305681e2c28ff6198aa927
Instruction ID: 09ae8f5e6e12c0cffaca07cbfbb183be140ef27ec2888948a8b0c45a93997284
Opcode Fuzzy Hash: 4f0d4df43ed8888378c2c6e248e2ee84bd777a56e5305681e2c28ff6198aa927
Instruction Fuzzy Hash: 0D613571918304AFDB21AFB89892F6A7BB9FF05320F04426DF948D7282DBB1DD019791

Function 009250D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00925186
ShowWindow.USER32(?,00000000), ref: 009251C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009251CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009251D1

Part of subcall function 00926FBA: DeleteObject.GDI32(00000000), ref: 00926FE6

GetWindowLongW.USER32(?,000000F0), ref: 0092520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0092521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0092524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00925287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00925296

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: a471de91539daee81c999cecd58ffdc32ab8d749810e0495cc48f40754234abc
Instruction ID: c7ffb70f9689932ed0ab1c36fc5331392262ac707a7cd5c5e126ff697db2a48d
Opcode Fuzzy Hash: a471de91539daee81c999cecd58ffdc32ab8d749810e0495cc48f40754234abc
Instruction Fuzzy Hash: 0851B270A58A28FEEF309F24EC45BD83B69FB05320F154011F625962E9C375E990DB41

Function 008A8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008E6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008E68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008E68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008E68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008E68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008A8874,00000000,00000000,00000000,000000FF,00000000), ref: 008E6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008E691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008A8874,00000000,00000000,00000000,000000FF,00000000), ref: 008E692D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 621dbe1bed8f60659c4d85726d7f07864ad06983c8f652ff12e84fface5be05d
Instruction ID: 118792c4054014780f3349a2f58e24f52b7674ed9a2464e9ce4351a7b11bd045
Opcode Fuzzy Hash: 621dbe1bed8f60659c4d85726d7f07864ad06983c8f652ff12e84fface5be05d
Instruction Fuzzy Hash: E0519AB0600209EFEB20DF25CC55BAA7BB5FB59360F104528F902D76A0EB70E991DB60

Function 0090C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0090C182
GetLastError.KERNEL32 ref: 0090C195
SetEvent.KERNEL32(?), ref: 0090C1A9

Part of subcall function 0090C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0090C272
Part of subcall function 0090C253: GetLastError.KERNEL32 ref: 0090C322
Part of subcall function 0090C253: SetEvent.KERNEL32(?), ref: 0090C336
Part of subcall function 0090C253: InternetCloseHandle.WININET(00000000), ref: 0090C341

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 800eb66ee49e1a278521d64c325ba666ef13794b7634685c890e4e91f9440f29
Instruction ID: 04e359c88821a1f2d982c69d0ab532026ba9cc499c349c10dd897795e86f13a8
Opcode Fuzzy Hash: 800eb66ee49e1a278521d64c325ba666ef13794b7634685c890e4e91f9440f29
Instruction Fuzzy Hash: 5C318EB1604601FFDB219FA9DD44A6ABBFDFF58310B00461DF96682A50DB30E815ABA0

Function 008F25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008F3A57
Part of subcall function 008F3A3D: GetCurrentThreadId.KERNEL32 ref: 008F3A5E
Part of subcall function 008F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008F25B3), ref: 008F3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008F25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008F25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008F25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008F25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008F2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 008F2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 008F260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008F2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 008F2627

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e95d4c387bd40c9cdca2bd437a89292d89c5aa85cdda6888b2585fed9babbd29
Instruction ID: f77a267d32ef716d258bace6ee74fdc6293bbbde877ef7c322e3478f8e2319e8
Opcode Fuzzy Hash: e95d4c387bd40c9cdca2bd437a89292d89c5aa85cdda6888b2585fed9babbd29
Instruction Fuzzy Hash: BD01D870398624BBFB2067799C8AF693F59EF4EB11F100001F314EE0D1C9E214459A6A

Function 008F1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,008F1449,?,?,00000000), ref: 008F180C
HeapAlloc.KERNEL32(00000000,?,008F1449,?,?,00000000), ref: 008F1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008F1449,?,?,00000000), ref: 008F1828
GetCurrentProcess.KERNEL32(?,00000000,?,008F1449,?,?,00000000), ref: 008F1830
DuplicateHandle.KERNEL32(00000000,?,008F1449,?,?,00000000), ref: 008F1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008F1449,?,?,00000000), ref: 008F1843
GetCurrentProcess.KERNEL32(008F1449,00000000,?,008F1449,?,?,00000000), ref: 008F184B
DuplicateHandle.KERNEL32(00000000,?,008F1449,?,?,00000000), ref: 008F184E
CreateThread.KERNEL32(00000000,00000000,008F1874,00000000,00000000,00000000), ref: 008F1868

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 99af5b302d9eb31b970c33e62164138d4c1b8c2d8ab357b29a8a666af843d74a
Instruction ID: 03fbc42c9d77d270aef798b8138161c2192076bc61d1027d5f973eb94812426e
Opcode Fuzzy Hash: 99af5b302d9eb31b970c33e62164138d4c1b8c2d8ab357b29a8a666af843d74a
Instruction Fuzzy Hash: 6801BFB5654308BFE720AB75DC4EF6B3B6CEB89B11F104411FA05DB192C6749815DB60

Function 0091A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 008FD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 008FD501
Part of subcall function 008FD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 008FD50F
Part of subcall function 008FD4DC: CloseHandle.KERNELBASE(00000000), ref: 008FD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0091A16D
GetLastError.KERNEL32 ref: 0091A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0091A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0091A268
GetLastError.KERNEL32(00000000), ref: 0091A273
CloseHandle.KERNEL32(00000000), ref: 0091A2C4

Strings

SeDebugPrivilege, xrefs: 0091A18F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9df9002dce82d186b21ce223c2c325d5fb4c4fcec62bb5b134246ae355841230
Instruction ID: 883c526dfcb28e557081e0bad2f8abaae1f50d9bf9dfc8ed8e85190b28f749e2
Opcode Fuzzy Hash: 9df9002dce82d186b21ce223c2c325d5fb4c4fcec62bb5b134246ae355841230
Instruction Fuzzy Hash: 9661B271309241AFD720DF18C494F69BBE5AF44318F58848CE4668B7A3C776ED85CB92

Function 00923886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00923925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0092393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00923954
_wcslen.LIBCMT ref: 00923999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009239C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009239F4

Strings

SysListView32, xrefs: 009238F7

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 7a69ffa917d2c099f61d12b6a1dfb0ff74a9cf27642926eb2ceb2a37b08417f6
Instruction ID: c24a98d36e7a39e2d7f04e1932bfdb42f53ad40edc2cd799f9a9f4e8a8a6cf2c
Opcode Fuzzy Hash: 7a69ffa917d2c099f61d12b6a1dfb0ff74a9cf27642926eb2ceb2a37b08417f6
Instruction Fuzzy Hash: 1441E371A00229ABEF21DF64DC49BEE7BA9FF48350F104526F948E7281D7759E80CB90

Function 008FBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008FBCFD
IsMenu.USER32(00000000), ref: 008FBD1D
CreatePopupMenu.USER32 ref: 008FBD53
GetMenuItemCount.USER32(00AA6EE8), ref: 008FBDA4
InsertMenuItemW.USER32(00AA6EE8,?,00000001,00000030), ref: 008FBDCC

Strings

0, xrefs: 008FBCA8
2, xrefs: 008FBD37

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 987f02535a557b8da7e31a1114d158a99d9c1622bfc19cbcf2622e8261ea4012
Instruction ID: a8bf5a1e54c077571426a5d8c7dda42190721c91f3d3ad9e3e677d636f1f70fd
Opcode Fuzzy Hash: 987f02535a557b8da7e31a1114d158a99d9c1622bfc19cbcf2622e8261ea4012
Instruction Fuzzy Hash: F0518BB0A0420D9BDB20EFB8D884BBEBBF8FF45354F244219E611D7290D7709941CB62

Function 008FC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008FC913

Strings

blank, xrefs: 008FC895
question, xrefs: 008FC8CC
info, xrefs: 008FC8B4
stop, xrefs: 008FC8E4
warning, xrefs: 008FC8FC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b8b1e625ad6e242cd2821769d9ffc472e5d8f27e83b3c44429fb2d7b49debd01
Instruction ID: 6b310c81f503970b8d07e0269d7988fd40b94b18808822213c162f5437439613
Opcode Fuzzy Hash: b8b1e625ad6e242cd2821769d9ffc472e5d8f27e83b3c44429fb2d7b49debd01
Instruction Fuzzy Hash: 2C11083178930EBAEB009B749D83CBE6B9CFF15359B50102AFA00E6282E7A19F045265

Function 008FDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008FDE42
gethostname.WSOCK32(?,00000100), ref: 008FDE5C
gethostbyname.WSOCK32(?), ref: 008FDE69
inet_ntoa.WSOCK32(?), ref: 008FDEAB
_strcat.LIBCMT ref: 008FDEB9
WSACleanup.WSOCK32 ref: 008FDEDE

Strings

0.0.0.0, xrefs: 008FDE87

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: ab203b34192b9c27004248e6dd779b882d0344f59d4ba8068d2bf82a207f7ba6
Instruction ID: 5682750899a8b46527d3474a1d4530eb0cff5e51abe7764d22b7eab4247d3d00
Opcode Fuzzy Hash: ab203b34192b9c27004248e6dd779b882d0344f59d4ba8068d2bf82a207f7ba6
Instruction Fuzzy Hash: 92110671904218ABCB30BB749C0AEEE77ADFF11715F010169F745EA192EF718A819A61

Function 00929F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

GetSystemMetrics.USER32(0000000F), ref: 00929FC7
GetSystemMetrics.USER32(0000000F), ref: 00929FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0092A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0092A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0092A263
ShowWindow.USER32(00000003,00000000), ref: 0092A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0092A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0092A2CA

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a4744126385acaedc1cbd660de00ebbf5750af7875b8ac0b7c1e2df881b6bce5
Instruction ID: bd982f99d6fb5d0886d0a363b1eb66d2d86799d59458584539d51f9b4828ca3e
Opcode Fuzzy Hash: a4744126385acaedc1cbd660de00ebbf5750af7875b8ac0b7c1e2df881b6bce5
Instruction Fuzzy Hash: C1B1EB32604225EFDF14CF68D9847AE3BB6FF44711F088069EC59AB29AD731A940CB61

Function 008FED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008FED2A
_wcslen.LIBCMT ref: 008FED3B
_wcslen.LIBCMT ref: 008FED79
_wcslen.LIBCMT ref: 008FEDAF
_wcslen.LIBCMT ref: 008FEDDF
_wcslen.LIBCMT ref: 008FEDEF
_wcslen.LIBCMT ref: 008FEE2B
_wcslen.LIBCMT ref: 008FEE5A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 5de8fb07c11c1bf597eed7ba070b565e410bac05b79297984b34a80230683c33
Instruction ID: deea6066a7a2490dc106dfba7ae934723f1e1cb5b7524f379c7cc2935fd57940
Opcode Fuzzy Hash: 5de8fb07c11c1bf597eed7ba070b565e410bac05b79297984b34a80230683c33
Instruction Fuzzy Hash: 4D416265C1021C76DB11EBF88C8A9DFB7A8FF45710F508566E618E3222FB34E255C3A6

Function 008AF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008E682C,00000004,00000000,00000000), ref: 008AF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,008E682C,00000004,00000000,00000000), ref: 008EF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008E682C,00000004,00000000,00000000), ref: 008EF454

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b6d0614ff77118a3ac6f6da44f5a0f935faf209b9489ba60468bba30c1b5635a
Instruction ID: b9edc3e684533a956897458bc64c2337372bbf3e848e6df45fb083d060d043ba
Opcode Fuzzy Hash: b6d0614ff77118a3ac6f6da44f5a0f935faf209b9489ba60468bba30c1b5635a
Instruction Fuzzy Hash: 2F411830218680BAE7788B69888876B7F91FB47318F1C443CE387D2E63C631A881DB51

Function 00922D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00922D1B
GetDC.USER32(00000000), ref: 00922D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00922D2E
ReleaseDC.USER32(00000000,00000000), ref: 00922D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00922D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00922D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00925A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00922DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00922DE1

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cf999a35aa5e2a1729b1a0c4766e84fd22305935c75f9694703032435f2fe795
Instruction ID: 7df2cdf0a111df0c90be60eb25a8acf81daa08e9199bd1a33d575fb0cc8d0140
Opcode Fuzzy Hash: cf999a35aa5e2a1729b1a0c4766e84fd22305935c75f9694703032435f2fe795
Instruction Fuzzy Hash: 7B317AB2215224BFEB218F50DC8AFEB3BADEF09715F044055FE089A291C6759C51CBA4

Function 008F5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008F5637
_memcmp.LIBVCRUNTIME ref: 008F5659
_memcmp.LIBVCRUNTIME ref: 008F5671
_memcmp.LIBVCRUNTIME ref: 008F5684
_memcmp.LIBVCRUNTIME ref: 008F569E
_memcmp.LIBVCRUNTIME ref: 008F56B1
_memcmp.LIBVCRUNTIME ref: 008F56C9
_memcmp.LIBVCRUNTIME ref: 008F56E4

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: afd0015c3864effba1b3b7138aaf5211446b7d117d1529414c380ebe5c775454
Instruction ID: 587c5781fb5d35efe99cf11b737aa51f0b236b1a89fdb15a928aad88ecbc0fb6
Opcode Fuzzy Hash: afd0015c3864effba1b3b7138aaf5211446b7d117d1529414c380ebe5c775454
Instruction Fuzzy Hash: 62219561644A1D77D654A6349DA6FFA239CFE74388F840030FF15DE785F728ED1081A6

Function 00914FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00915007
NULL Pointer assignment, xrefs: 0091502E, 00915383

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b87d6c4582364ebe70d3cbc5816d4c4637ae15930d07061ae9d932d24a574dc1
Instruction ID: 2e9998836d09ea10ee8993069c719fc066fc11af14b400dfe30d59f337850f8d
Opcode Fuzzy Hash: b87d6c4582364ebe70d3cbc5816d4c4637ae15930d07061ae9d932d24a574dc1
Instruction Fuzzy Hash: 26D17071B0060AEFDB10DF98D881BEEB7B9BF88344F168469E915AB281D770DD85CB50

Function 008D1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 008D15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008D1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008D16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008D16FB

Part of subcall function 008C3820: RtlAllocateHeap.NTDLL(00000000,?,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6,?,00891129), ref: 008C3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008D1777
__freea.LIBCMT ref: 008D17A2
__freea.LIBCMT ref: 008D17AE

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 4d3ff908644795f8437521da289979f495ec2efce203045aeca2c3f9bef40b9a
Instruction ID: 77cfe1a7553a3ed8c882aae1bec261e55b6a3b81e917058962b7eac9ea85fe6f
Opcode Fuzzy Hash: 4d3ff908644795f8437521da289979f495ec2efce203045aeca2c3f9bef40b9a
Instruction Fuzzy Hash: F091C271F0021AAADF208E64D889AEE7BB5FF49714F18475AE805E7351DB39DD40CBA0

Function 00914523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00914648
VariantInit.OLEAUT32(?), ref: 00914749
VariantClear.OLEAUT32(?), ref: 00914753
VariantClear.OLEAUT32(?), ref: 009147B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0091472C
Null Object assignment in FOR..IN loop, xrefs: 009145D8, 00914706, 009147BE

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 61dcdf683762b81f2a2ac10a9fb983625fe95c1c75dadbba4fbc89b0a7c3277f
Instruction ID: 5ef03288b82c24aa63e82c84709917b15589a1eca57935d92fbb799d5af697dd
Opcode Fuzzy Hash: 61dcdf683762b81f2a2ac10a9fb983625fe95c1c75dadbba4fbc89b0a7c3277f
Instruction Fuzzy Hash: 6F917E71A00219ABDF20CFA5DC44FEEBBB8EF4A715F108559F515AB280D7709985CFA0

Function 00901187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0090125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00901284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009012A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009012D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0090135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009013C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00901430

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 388ea769a9abd7beb4e076f9f4d3a7df7e4338d52b17d41144b8c8b749fef323
Instruction ID: f8d4fcf2b37ea6b277d9bc111c26ad70056283df16f82a4d34452c989ecf17ae
Opcode Fuzzy Hash: 388ea769a9abd7beb4e076f9f4d3a7df7e4338d52b17d41144b8c8b749fef323
Instruction Fuzzy Hash: BC910471A00219AFEB00DFA8C884BBEB7B9FF45314F144429E951EB2E1D778E941CB91

Function 008A948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6085ff2506db088b20c7c5a03fe3925442d3a5cb2c9821974ed04c834f2bcd9d
Instruction ID: a1145ac603871512a19b94177d030b28bc5be733185f826afa8610ddd4937af2
Opcode Fuzzy Hash: 6085ff2506db088b20c7c5a03fe3925442d3a5cb2c9821974ed04c834f2bcd9d
Instruction Fuzzy Hash: 8A913471D08219EFDB10CFA9C885AEEBBB9FF4A320F148049E555F7251D374AA42CB60

Function 00913947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0091396B
CharUpperBuffW.USER32(?,?), ref: 00913A7A
_wcslen.LIBCMT ref: 00913A8A
VariantClear.OLEAUT32(?), ref: 00913C1F

Part of subcall function 00900CDF: VariantInit.OLEAUT32(00000000), ref: 00900D1F
Part of subcall function 00900CDF: VariantCopy.OLEAUT32(?,?), ref: 00900D28
Part of subcall function 00900CDF: VariantClear.OLEAUT32(?), ref: 00900D34

Strings

AUTOIT.ERROR, xrefs: 00913A80, 00913A85
Incorrect Parameter format, xrefs: 009139A6, 00913BA1

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b3850bff612c7dbd9565f82ba8f1c289244026ba0c9ec44c6690a987c8a6926e
Instruction ID: 732dc732ba238b740dc02f7b86bf293bf638c2e96c937c632ea5b7752f5665f0
Opcode Fuzzy Hash: b3850bff612c7dbd9565f82ba8f1c289244026ba0c9ec44c6690a987c8a6926e
Instruction Fuzzy Hash: 6A9126746083059FCB14EF28C4809AAB7E8FF89314F14892DF89A97351DB30EE45CB92

Function 00914BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 008F000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?,?,008F035E), ref: 008F002B
Part of subcall function 008F000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?), ref: 008F0046
Part of subcall function 008F000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?), ref: 008F0054
Part of subcall function 008F000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?), ref: 008F0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00914C51
_wcslen.LIBCMT ref: 00914D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00914DCF
CoTaskMemFree.OLE32(?), ref: 00914DDA

Strings

NULL Pointer assignment, xrefs: 00914E23, 00914E52

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: f4787ded3262c71f9a48ab0330593c2ea8c66c47bb5a0e0a42983c66f31f1953
Instruction ID: 7c58e249d08aba12c737af15b8ae531fad84510eb952425e47a8e2c47637133a
Opcode Fuzzy Hash: f4787ded3262c71f9a48ab0330593c2ea8c66c47bb5a0e0a42983c66f31f1953
Instruction Fuzzy Hash: 86911671D0021DAFDF14DFA4D891AEEB7B9FF08310F108569E915A7291EB349A44CFA1

Function 009220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00922183
GetMenuItemCount.USER32(00000000), ref: 009221B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009221DD
_wcslen.LIBCMT ref: 00922213
GetMenuItemID.USER32(?,?), ref: 0092224D
GetSubMenu.USER32(?,?), ref: 0092225B

Part of subcall function 008F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008F3A57
Part of subcall function 008F3A3D: GetCurrentThreadId.KERNEL32 ref: 008F3A5E
Part of subcall function 008F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008F25B3), ref: 008F3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009222E3

Part of subcall function 008FE97B: Sleep.KERNEL32 ref: 008FE9F3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 86d55b71977c4b5029451d38704259c6c1150c413630301a38137345ab7ce149
Instruction ID: bd33319314f0ca079cb8be9c1da693646763d9b62e369a2f5d24e917e0298903
Opcode Fuzzy Hash: 86d55b71977c4b5029451d38704259c6c1150c413630301a38137345ab7ce149
Instruction Fuzzy Hash: 6771CF75A04215EFCB14EFA8D881AAEB7F5FF48310F148458E926EB355DB35EE018B90

Function 00927E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00AA6D80), ref: 00927F37
IsWindowEnabled.USER32(00AA6D80), ref: 00927F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0092801E
SendMessageW.USER32(00AA6D80,000000B0,?,?), ref: 00928051
IsDlgButtonChecked.USER32(?,?), ref: 00928089
GetWindowLongW.USER32(00AA6D80,000000EC), ref: 009280AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009280C3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 85b186346edee454a762078b45dd2ded26b9df1c0b41c03eec2a89fcba33626b
Instruction ID: 373a4acfe1128064269708c3973d68d8ac363e24c30fee13a76b4324c2cb5ee0
Opcode Fuzzy Hash: 85b186346edee454a762078b45dd2ded26b9df1c0b41c03eec2a89fcba33626b
Instruction Fuzzy Hash: E771C27460D224AFEB209F94ED84FFABBB9FF09300F140459F945A72A9CB31A845DB11

Function 008FAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008FAEF9
GetKeyboardState.USER32(?), ref: 008FAF0E
SetKeyboardState.USER32(?), ref: 008FAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 008FAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 008FAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 008FAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008FB020

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 634bb1e444bd1849c31ddfbc6d8d9a6361e9ea2c103833bd2436081605173ce1
Instruction ID: 9e2a8b006d06ee5c0f006963ffa10fea6fb79e6d347324b9c7defab91ca16186
Opcode Fuzzy Hash: 634bb1e444bd1849c31ddfbc6d8d9a6361e9ea2c103833bd2436081605173ce1
Instruction Fuzzy Hash: A751E5E06147D93DFB364234CC45BBA7EA9FB06314F088589E2E9D94C2C798ACC4D761

Function 008FACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008FAD19
GetKeyboardState.USER32(?), ref: 008FAD2E
SetKeyboardState.USER32(?), ref: 008FAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008FADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008FADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008FAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008FAE38

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7d1205352a24a88b5dfce8c98c2bcc08cf9a2cef759970da1931f1d2d9979aea
Instruction ID: 7b0839f7c07967f6f479c16071f6c086473e423640365580cbdbde8624a40e60
Opcode Fuzzy Hash: 7d1205352a24a88b5dfce8c98c2bcc08cf9a2cef759970da1931f1d2d9979aea
Instruction Fuzzy Hash: 9651E6E15047D93DFB3A9334CC85B7A7EA9FB45310F088488E2D9D68C2D294EC88D762

Function 008C542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(008D3CD6,?,?,?,?,?,?,?,?,008C5BA3,?,?,008D3CD6,?,?), ref: 008C5470
__fassign.LIBCMT ref: 008C54EB
__fassign.LIBCMT ref: 008C5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,008D3CD6,00000005,00000000,00000000), ref: 008C552C
WriteFile.KERNEL32(?,008D3CD6,00000000,008C5BA3,00000000,?,?,?,?,?,?,?,?,?,008C5BA3,?), ref: 008C554B
WriteFile.KERNEL32(?,?,00000001,008C5BA3,00000000,?,?,?,?,?,?,?,?,?,008C5BA3,?), ref: 008C5584

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b6293a5b8226746dfd527460bfd9587047d9121c07c37967c770679e460e58a9
Instruction ID: b592460fed2bca848e05c41f4c8fd21d8996e41d5ba95262b13059c7a138133f
Opcode Fuzzy Hash: b6293a5b8226746dfd527460bfd9587047d9121c07c37967c770679e460e58a9
Instruction Fuzzy Hash: E4518BB0A04609AFDF10CFA8D895FEEBBB9FB09300F14451EE555E7291D670EA81CB60

Function 008B2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008B2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 008B2D53
_ValidateLocalCookies.LIBCMT ref: 008B2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 008B2E0C
_ValidateLocalCookies.LIBCMT ref: 008B2E61

Strings

csm, xrefs: 008B2DF6

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e66edebde9864b0690a57c6b9f7bd209fab6d175a2fc7030b0ff66a0ef9a2691
Instruction ID: dc2cb48e3bed56a5415cf978573bb71bc58f26813bf0c546020e8e3c9d08ffd9
Opcode Fuzzy Hash: e66edebde9864b0690a57c6b9f7bd209fab6d175a2fc7030b0ff66a0ef9a2691
Instruction Fuzzy Hash: 25418034A0020DABCF10DF69C855ADEBBA5FF45328F188165E815EB392D731AA15CB91

Function 009110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0091304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0091307A
Part of subcall function 0091304E: _wcslen.LIBCMT ref: 0091309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00911112
WSAGetLastError.WSOCK32 ref: 00911121
WSAGetLastError.WSOCK32 ref: 009111C9
closesocket.WSOCK32(00000000), ref: 009111F9

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e9aa77a039887a0dd765558acdf8bd0122ff19a201c9d8a5e5cb14c40b640f3b
Instruction ID: 22a35a41bc04913a2de8b766ffa6354d49273f3df5d95f505aa87a030de26cf3
Opcode Fuzzy Hash: e9aa77a039887a0dd765558acdf8bd0122ff19a201c9d8a5e5cb14c40b640f3b
Instruction Fuzzy Hash: 4F41C171704208BFDB209F18D884BEABBE9FF45324F148059FA199B291D774AD81CBA1

Function 008FCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008FCF22,?), ref: 008FDDFD

Part of subcall function 008FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008FCF22,?), ref: 008FDE16

lstrcmpiW.KERNEL32(?,?), ref: 008FCF45
MoveFileW.KERNEL32(?,?), ref: 008FCF7F
_wcslen.LIBCMT ref: 008FD005
_wcslen.LIBCMT ref: 008FD01B
SHFileOperationW.SHELL32(?), ref: 008FD061

Strings

\*.*, xrefs: 008FCFF3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c880c18f76dd0ba268155bc24e5077ee26de3664f8bcc1b405367984ea6d4f50
Instruction ID: edcf2192ab8c5ca1cb3eaa2f4f0cca250430c6179b4fc351566481e6e1f45ccd
Opcode Fuzzy Hash: c880c18f76dd0ba268155bc24e5077ee26de3664f8bcc1b405367984ea6d4f50
Instruction Fuzzy Hash: 8841437194521C5FDF12EBB4CA81AEEB7B9FF48380F1000A6E605EB151EE74A785CB51

Function 00922DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00922E1C
GetWindowLongW.USER32(?,000000F0), ref: 00922E4F
GetWindowLongW.USER32(?,000000F0), ref: 00922E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00922EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00922EE0
GetWindowLongW.USER32(?,000000F0), ref: 00922EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00922F0B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6a92ed916b0888ba1bc6f5b2d4d497c43ef927f246aff564aadca37a0e3cb071
Instruction ID: e01ae4b2c0cdd4ce06c9183b634a134414fd44c1c187d16810481b9aef96ed76
Opcode Fuzzy Hash: 6a92ed916b0888ba1bc6f5b2d4d497c43ef927f246aff564aadca37a0e3cb071
Instruction Fuzzy Hash: 83310630619161AFDB21CF58EC84F6937E5FB9A710F1A0164F9118F2B5CBB1A841EF41

Function 008F7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008F7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008F778F
SysAllocString.OLEAUT32(00000000), ref: 008F7792
SysAllocString.OLEAUT32(?), ref: 008F77B0
SysFreeString.OLEAUT32(?), ref: 008F77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008F77DE
SysAllocString.OLEAUT32(?), ref: 008F77EC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 12071aa042cc5bd3fa8be69ca257ebede6ae3078d765caf0b96d62713fc42fac
Instruction ID: e9e6fc68a0eb46b68f965b5e33d84bc5698acfb6ee08f82ada5813b1ff1a96f9
Opcode Fuzzy Hash: 12071aa042cc5bd3fa8be69ca257ebede6ae3078d765caf0b96d62713fc42fac
Instruction Fuzzy Hash: E7217F7661821DAFEB10AFB8DC88CBB77ACFB097647148025FA15DB161D6709C428BA4

Function 008F77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008F7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008F7868
SysAllocString.OLEAUT32(00000000), ref: 008F786B
SysAllocString.OLEAUT32 ref: 008F788C
SysFreeString.OLEAUT32 ref: 008F7895
StringFromGUID2.OLE32(?,?,00000028), ref: 008F78AF
SysAllocString.OLEAUT32(?), ref: 008F78BD

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d4702816f8eee410bc6c1e864a28f90a2b512b79ce21aea4687366f77060566e
Instruction ID: 106eef1435e90334adef503a7c21a74bacd9e414670f5ecc175c18d1fa6a5dbd
Opcode Fuzzy Hash: d4702816f8eee410bc6c1e864a28f90a2b512b79ce21aea4687366f77060566e
Instruction Fuzzy Hash: 56216571618108AFEB10AFB8DC89DBA77ECFB097607108135FA15CB1A1D674DC41DB68

Function 009004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009004F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0090052E

Strings

nul, xrefs: 00900567

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d3246833ab0382e81860d8326f21dec78413d79018fcee45a3de75b83d72e244
Instruction ID: f1143f5d1943ad830d9958046cbb5bf798e4b3ed53822f8a4bb72b7ea8ef79bf
Opcode Fuzzy Hash: d3246833ab0382e81860d8326f21dec78413d79018fcee45a3de75b83d72e244
Instruction Fuzzy Hash: 322148B5500205AFDB209F2ADC45B9E7BF8AF85724F204A29F8A1D62E0E7709951DF20

Function 009005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009005C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00900601

Strings

nul, xrefs: 00900639

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 190284e45730e21fa3af0b0b23c80e2a3e00c1037b4c5f2655fcf02a371b6645
Instruction ID: f2bf7810041671630fa85112cfae38be9079d18335776ad754fba35c4ef967b2
Opcode Fuzzy Hash: 190284e45730e21fa3af0b0b23c80e2a3e00c1037b4c5f2655fcf02a371b6645
Instruction Fuzzy Hash: 44218E755003059FDB209F69DC04B9A77E9AFD5B20F200B19F8A1E72E0DBB199A1DB20

Function 009240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0089600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0089604C
Part of subcall function 0089600E: GetStockObject.GDI32(00000011), ref: 00896060
Part of subcall function 0089600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0089606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00924112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0092411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0092412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00924139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00924145

Strings

Msctls_Progress32, xrefs: 009240E3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 64fd43cc0ddeb635a593b48e198abb2fcaa461eb1be92149fb2b8a4aa9891e83
Instruction ID: 0efd9c9b96ac09b85b2a438241979306f9ca557c9472af2ace9f678fb67c96b7
Opcode Fuzzy Hash: 64fd43cc0ddeb635a593b48e198abb2fcaa461eb1be92149fb2b8a4aa9891e83
Instruction Fuzzy Hash: EA11B6B11502297EEF119F64DC85EE77F5DEF18798F014110FA18A2090C7729C61DBA4

Function 008CD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008CD7A3: _free.LIBCMT ref: 008CD7CC

_free.LIBCMT ref: 008CD82D

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008CD838
_free.LIBCMT ref: 008CD843
_free.LIBCMT ref: 008CD897
_free.LIBCMT ref: 008CD8A2
_free.LIBCMT ref: 008CD8AD
_free.LIBCMT ref: 008CD8B8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 65305edde989446064f66b714a0c882fc34282cb9b7e0cf5fa8ba4d96dc5e5ed
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 4511F971540B04AAD621BFB4CC46FCB7BBCFF04700F40982DB29DE6892DA75E5098662

Function 008FDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008FDA74
LoadStringW.USER32(00000000), ref: 008FDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008FDA91
LoadStringW.USER32(00000000), ref: 008FDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008FDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008FDAB9

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 1eeec99c28fbeff39b36ddf685a2f3e0182db3c69b347328bbcdf80824dfb73a
Instruction ID: 0f781f505ab670d052c7447d9473b38d5f222099a1790ee591523d8b73c74d20
Opcode Fuzzy Hash: 1eeec99c28fbeff39b36ddf685a2f3e0182db3c69b347328bbcdf80824dfb73a
Instruction Fuzzy Hash: 4E0162F25042187FE720DBA49D89EFF326CEB08305F400492B746E2041E6749E854F74

Function 0090096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00A9EB30,00A9EB30), ref: 0090097B
EnterCriticalSection.KERNEL32(00A9EB10,00000000), ref: 0090098D
TerminateThread.KERNEL32(?,000001F6), ref: 0090099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009009A9
CloseHandle.KERNEL32(?), ref: 009009B8
InterlockedExchange.KERNEL32(00A9EB30,000001F6), ref: 009009C8
LeaveCriticalSection.KERNEL32(00A9EB10), ref: 009009CF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 857520afe34f80b9ab1e3fef3c817f6b7e41565e80696c08059e1791fc34165d
Instruction ID: 3e491ae7e93b7133c74f047f371676d6d0f796818ebf393d6248bda8b118b5f8
Opcode Fuzzy Hash: 857520afe34f80b9ab1e3fef3c817f6b7e41565e80696c08059e1791fc34165d
Instruction Fuzzy Hash: 62F01D7145A902EBD7615B94EE89BDA7A29BF41702F501015F111508A1CB749466DF90

Function 00895D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00895D30
GetWindowRect.USER32(?,?), ref: 00895D71
ScreenToClient.USER32(?,?), ref: 00895D99
GetClientRect.USER32(?,?), ref: 00895ED7
GetWindowRect.USER32(?,?), ref: 00895EF8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 75fe73657812472fcfa438f4c16d93a1e25eab13ebe0414d0f4fc8233774502d
Instruction ID: 8396b3010a3de0f5c93e6b5f9602ba207206a21549e88e703b69f4cf05750eb1
Opcode Fuzzy Hash: 75fe73657812472fcfa438f4c16d93a1e25eab13ebe0414d0f4fc8233774502d
Instruction Fuzzy Hash: 41B16875A00A4ADBDF10DFA9C4807EEB7F1FF48310F18951AE8AAD7250DB30AA51DB50

Function 008C01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008C00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C00D6
__allrem.LIBCMT ref: 008C00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C010B
__allrem.LIBCMT ref: 008C0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C0140

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: c81cc3136cad4843ebe30626d44e2ad55db3a3b3989d4093b199840fd3171e95
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 2281B471A00B069BE7249E6CCC42FAAB3F9FF51764F24452EF551D6782EB70D9008B51

Function 00911D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00913149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0091101C,00000000,?,?,00000000), ref: 00913195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00911DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00911DE1
WSAGetLastError.WSOCK32 ref: 00911DF2
inet_ntoa.WSOCK32(?), ref: 00911E8C
htons.WSOCK32(?,?,?,?,?), ref: 00911EDB
_strlen.LIBCMT ref: 00911F35

Part of subcall function 008F39E8: _strlen.LIBCMT ref: 008F39F2

Part of subcall function 00896D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,008ACF58,?,?,?), ref: 00896DBA
Part of subcall function 00896D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,008ACF58,?,?,?), ref: 00896DED

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: afb939571c2262a2f97cb6cbfd918be0666b9f5741bc0a58d5b0160fdd76c998
Instruction ID: 49832cb3fde4ba7ce59634fcf4242567cce31c80b7e857fde78319ba4131023f
Opcode Fuzzy Hash: afb939571c2262a2f97cb6cbfd918be0666b9f5741bc0a58d5b0160fdd76c998
Instruction Fuzzy Hash: 93A1D531204304AFD714EF24C885E6A77A5FF85318F54494CF5569B2A2DB71ED82CB92

Function 008C61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008B82D9,008B82D9,?,?,?,008C644F,00000001,00000001,8BE85006), ref: 008C6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008C644F,00000001,00000001,8BE85006,?,?,?), ref: 008C62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008C63D8
__freea.LIBCMT ref: 008C63E5

Part of subcall function 008C3820: RtlAllocateHeap.NTDLL(00000000,?,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6,?,00891129), ref: 008C3852

__freea.LIBCMT ref: 008C63EE
__freea.LIBCMT ref: 008C6413

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: b77d8afe14024f8bc1b8176401cf181ed45c23648e5510c59450eaf90c41e8f8
Instruction ID: 00a6fa6a01e98331b076555144ebd437dc84c57c9b8fbbb4d7d8c6cb67bc86a7
Opcode Fuzzy Hash: b77d8afe14024f8bc1b8176401cf181ed45c23648e5510c59450eaf90c41e8f8
Instruction Fuzzy Hash: 9651AB72A00256ABEB258E74CC81FAF7BB9FB44750F14463DF805D6281EB34DC61D6A0

Function 0091BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 0091C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0091B6AE,?,?), ref: 0091C9B5
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091C9F1
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA68
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0091BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0091BD25
RegCloseKey.ADVAPI32(00000000), ref: 0091BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0091BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0091BDF3
RegCloseKey.ADVAPI32(?), ref: 0091BDFF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 84f6ffe7b22d6a1e86538677a4491dee33b7280c5f054d98896989178a5b8db1
Instruction ID: 5a435f89c20372edb4b16ee94332493d9d3bb5f2c903e5320d383da0a214bfc5
Opcode Fuzzy Hash: 84f6ffe7b22d6a1e86538677a4491dee33b7280c5f054d98896989178a5b8db1
Instruction Fuzzy Hash: 9881A270208245EFD714DF28C895E6ABBE9FF84308F14895CF5958B2A2DB31ED45CB92

Function 008EF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 008EF7B9
SysAllocString.OLEAUT32(00000001), ref: 008EF860
VariantCopy.OLEAUT32(008EFA64,00000000), ref: 008EF889
VariantClear.OLEAUT32(008EFA64), ref: 008EF8AD
VariantCopy.OLEAUT32(008EFA64,00000000), ref: 008EF8B1
VariantClear.OLEAUT32(?), ref: 008EF8BB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: be04dd2ed8602ffa6ca4477e511721213669eb108ffa2620ce914851ad17f4f5
Instruction ID: 9ca8350f74e326352851bafe0a91b227ea8cc2988ec26141465bb7de48c4b8db
Opcode Fuzzy Hash: be04dd2ed8602ffa6ca4477e511721213669eb108ffa2620ce914851ad17f4f5
Instruction Fuzzy Hash: C151D431610354ABDF20BB6AD895B29B7A8FF47314B248466FA05DF293DB708C40CB97

Function 0090910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00897620: _wcslen.LIBCMT ref: 00897625

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009094E5
_wcslen.LIBCMT ref: 00909506
_wcslen.LIBCMT ref: 0090952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00909585

Strings

X, xrefs: 00909412

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: fa6ef8c98e497d4a78fa9030cfa202813761225ab9371ec8dcb3b5d5ae2eb31c
Instruction ID: b7740c51931fb2979f0764ffea68850a5093cfaeff8d4979e81854ff00d0900b
Opcode Fuzzy Hash: fa6ef8c98e497d4a78fa9030cfa202813761225ab9371ec8dcb3b5d5ae2eb31c
Instruction Fuzzy Hash: 3AE18471508301DFDB14EF29C881A6AB7E4FF85314F08896DF8999B2A2DB31DD05CB92

Function 008A920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

BeginPaint.USER32(?,?,?), ref: 008A9241
GetWindowRect.USER32(?,?), ref: 008A92A5
ScreenToClient.USER32(?,?), ref: 008A92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008A92D3
EndPaint.USER32(?,?,?,?,?), ref: 008A9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008E71EA

Part of subcall function 008A9339: BeginPath.GDI32(00000000), ref: 008A9357

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 7045db4160a6d269ecc37e10f43e2ccfc2cb958844391962f9e1a39199f66b83
Instruction ID: 6514513352579e1f14233a119fc3ae45abc0ff542154cfd4ba8e7777d833efe3
Opcode Fuzzy Hash: 7045db4160a6d269ecc37e10f43e2ccfc2cb958844391962f9e1a39199f66b83
Instruction Fuzzy Hash: 3F41AE7010D301AFEB20DF25D885FAA7BB8FF46764F140269F9A4C72A1C7719845EB62

Function 009007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0090080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00900847
EnterCriticalSection.KERNEL32(?), ref: 00900863
LeaveCriticalSection.KERNEL32(?), ref: 009008DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009008F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00900921

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: fe952ece940d459445f49e953e6522656d9a5ad5c592bee6ee162fe375a9f0e2
Instruction ID: cfbdb0ef9748b209feeb7fee04a916a0aea0e29fca6a5fc4e73856daf9881cb0
Opcode Fuzzy Hash: fe952ece940d459445f49e953e6522656d9a5ad5c592bee6ee162fe375a9f0e2
Instruction Fuzzy Hash: E5415A71900205EFEF149F94DC85AAA77B8FF44300F1480A5ED00DA297DB31DE65DBA5

Function 009281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008EF3AB,00000000,?,?,00000000,?,008E682C,00000004,00000000,00000000), ref: 0092824C
EnableWindow.USER32(?,00000000), ref: 00928272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009282D1
ShowWindow.USER32(?,00000004), ref: 009282E5
EnableWindow.USER32(?,00000001), ref: 0092830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0092832F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c9cc1d86644e4ef5560025918ff80869896e6772d6c14bdcb9c724e0c676af7c
Instruction ID: 68e1a8ed01fa9429796503f7057bec6fe4284c1b8f665c5e4bb68997936aa214
Opcode Fuzzy Hash: c9cc1d86644e4ef5560025918ff80869896e6772d6c14bdcb9c724e0c676af7c
Instruction Fuzzy Hash: 5041F430606650EFDB25CF14E899BE97BE4FF0A754F1842A8E5184F2B6CB72A841DF50

Function 008F4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008F4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008F4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008F4CEA
_wcslen.LIBCMT ref: 008F4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008F4D10
_wcsstr.LIBVCRUNTIME ref: 008F4D1A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 38b3818242269a3227acffd7ebaae0c59e630504d9b9df232f88076236661b6f
Instruction ID: 537b091b17044012b5dba95419939518f53c69d59044c6dab0b6eedbfb7e1e35
Opcode Fuzzy Hash: 38b3818242269a3227acffd7ebaae0c59e630504d9b9df232f88076236661b6f
Instruction Fuzzy Hash: 532129712042097BFB256B799C09E7F7B9CFF45750F10502AFA05CA192DA75DC0192A1

Function 0090581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00893AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00893A97,?,?,00892E7F,?,?,?,00000000), ref: 00893AC2

_wcslen.LIBCMT ref: 0090587B
CoInitialize.OLE32(00000000), ref: 00905995
CoCreateInstance.OLE32(0092FCF8,00000000,00000001,0092FB68,?), ref: 009059AE
CoUninitialize.OLE32 ref: 009059CC

Strings

.lnk, xrefs: 00905876, 009058C1, 00905985

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: aea3980d4193be85dd1a5700f45b741ef75db5cc2d60cd1b7a08ee89e5957a29
Instruction ID: 27cea194cf9f5b5c9a96783e697fa603594365ea1c7ba99399ed329dd8538d89
Opcode Fuzzy Hash: aea3980d4193be85dd1a5700f45b741ef75db5cc2d60cd1b7a08ee89e5957a29
Instruction Fuzzy Hash: 90D143716086019FCB14EF18C480A2BBBE5FF89714F568859F8999B3A1DB31EC45CF92

Function 008F175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008F0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008F0FCA
Part of subcall function 008F0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008F0FD6
Part of subcall function 008F0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008F0FE5
Part of subcall function 008F0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008F0FEC
Part of subcall function 008F0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008F1002

GetLengthSid.ADVAPI32(?,00000000,008F1335), ref: 008F17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008F17BA
HeapAlloc.KERNEL32(00000000), ref: 008F17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008F17DA
GetProcessHeap.KERNEL32(00000000,00000000,008F1335), ref: 008F17EE
HeapFree.KERNEL32(00000000), ref: 008F17F5

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: dfc1f61f9a236aec6525dd39800802a12a59efc8a2ea54b51a6f13e3b30f3348
Instruction ID: 1b99460e19df00db4ffe5b25b3e6dcba58ed969b77b093cf764619e6d1fe5346
Opcode Fuzzy Hash: dfc1f61f9a236aec6525dd39800802a12a59efc8a2ea54b51a6f13e3b30f3348
Instruction Fuzzy Hash: 6A119A71914209EFDF20AFA4CC4ABBF7BA9FB41355F104018F545D7215C735A945DB60

Function 008F14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008F14FF
OpenProcessToken.ADVAPI32(00000000), ref: 008F1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008F1515
CloseHandle.KERNEL32(00000004), ref: 008F1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008F154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 008F1563

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fe1ac81b5291865aeff939b341a7f2d619fe872d39148d741aca4907ad429fb5
Instruction ID: 8ac34d0e7f981c7a833ef3dd89a91aa7e36b518aa7c59537b7e9f8763331c4bd
Opcode Fuzzy Hash: fe1ac81b5291865aeff939b341a7f2d619fe872d39148d741aca4907ad429fb5
Instruction Fuzzy Hash: A21117B250424DEBDF218FA8DD49BEE7BA9FF48748F144015FA05E2060C3758E65AB64

Function 008B3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008B3379,008B2FE5), ref: 008B3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008B339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008B33B7
SetLastError.KERNEL32(00000000,?,008B3379,008B2FE5), ref: 008B3409

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9725498b3e9ce272ab320201ede4a67ffa3245bf5d7cb25f097bb5743ccaf592
Instruction ID: f3843b94d3eb060816aeb731c0f98f05000390a25617de0180a93676b6062eab
Opcode Fuzzy Hash: 9725498b3e9ce272ab320201ede4a67ffa3245bf5d7cb25f097bb5743ccaf592
Instruction Fuzzy Hash: B4014C7321C711BEAA242779BC86AD72F94FB2937A7200229F410C13F1FF114D06B244

Function 008C2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008C5686,008D3CD6,?,00000000,?,008C5B6A,?,?,?,?,?,008BE6D1,?,00958A48), ref: 008C2D78
_free.LIBCMT ref: 008C2DAB
_free.LIBCMT ref: 008C2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,008BE6D1,?,00958A48,00000010,00894F4A,?,?,00000000,008D3CD6), ref: 008C2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,008BE6D1,?,00958A48,00000010,00894F4A,?,?,00000000,008D3CD6), ref: 008C2DEC
_abort.LIBCMT ref: 008C2DF2

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 785c01de04452403a343c4518a5c8f9f56ce4cdde33b170d693e484e2a4c01f2
Instruction ID: acfbf2508c6e3fe008dd9abc01ae59dac748481b46037c1a828bde75ceb8407c
Opcode Fuzzy Hash: 785c01de04452403a343c4518a5c8f9f56ce4cdde33b170d693e484e2a4c01f2
Instruction Fuzzy Hash: D5F0A471508B056BC622773DBC06F1E2679FBD17A6F24451CF925D21D2EF34C8065162

Function 00928A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008A9693
Part of subcall function 008A9639: SelectObject.GDI32(?,00000000), ref: 008A96A2
Part of subcall function 008A9639: BeginPath.GDI32(?), ref: 008A96B9
Part of subcall function 008A9639: SelectObject.GDI32(?,00000000), ref: 008A96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00928A4E
LineTo.GDI32(?,00000003,00000000), ref: 00928A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00928A70
LineTo.GDI32(?,00000000,00000003), ref: 00928A80
EndPath.GDI32(?), ref: 00928A90
StrokePath.GDI32(?), ref: 00928AA0

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e35991cb2a25d683a2dbe62942e4539640db5a03e0915dfb127cada377b1275a
Instruction ID: 3de60fd1ec9568026d009b60cdd3aef0d763d0b783cab860b15198f07e61385f
Opcode Fuzzy Hash: e35991cb2a25d683a2dbe62942e4539640db5a03e0915dfb127cada377b1275a
Instruction Fuzzy Hash: 53110C76044118FFEF129F94EC48E9A7F6CEB08350F048011FA1995161C7719D55EBA0

Function 008F51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008F5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 008F5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008F5230
ReleaseDC.USER32(00000000,00000000), ref: 008F5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008F524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 008F5261

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9b2817c7ee01dcd5f80f787d5017437d8a7acd3bd9bc973a517b38a8e6fdfbb9
Instruction ID: a861ca3202c212cbc79cc8c67620575fee052b21dbe0a1db3d2ceb64509d7d38
Opcode Fuzzy Hash: 9b2817c7ee01dcd5f80f787d5017437d8a7acd3bd9bc973a517b38a8e6fdfbb9
Instruction Fuzzy Hash: 48018FB5E04709BBEB109BB69C49A5EBFB8FF48751F044165FB04E7281DA709801DFA0

Function 00891BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00891BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00891BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00891C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00891C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00891C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00891C22

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 162e399e505a24b591f771e77441393ccb3f858eaabe6e0e54d0adaf209772d7
Instruction ID: eea579446825d141c8d2115a1b9c3dbf81a4614a7054e69e288f98ad2198da46
Opcode Fuzzy Hash: 162e399e505a24b591f771e77441393ccb3f858eaabe6e0e54d0adaf209772d7
Instruction Fuzzy Hash: 7A0167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 008FEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008FEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008FEB46
GetWindowThreadProcessId.USER32(?,?), ref: 008FEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008FEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008FEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008FEB75

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 582d84ade9999b157b33cbb2b4f515448ace16cf7c0647282106e514cc6af3f1
Instruction ID: 56dc89909e2670e020781df9c12ef30adc5b0402b38b5af24c85de44155e6bb3
Opcode Fuzzy Hash: 582d84ade9999b157b33cbb2b4f515448ace16cf7c0647282106e514cc6af3f1
Instruction Fuzzy Hash: E6F05EB2254559BBE7315B629C0EEEF3E7CEFCAB11F000158F601E1091D7A05A02E6B5

Function 008E7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 008E7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 008E7469
GetWindowDC.USER32(?), ref: 008E7475
GetPixel.GDI32(00000000,?,?), ref: 008E7484
ReleaseDC.USER32(?,00000000), ref: 008E7496
GetSysColor.USER32(00000005), ref: 008E74B0

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9ab00138564560753740fde624b3eacba3508fd21e80e5ac97f7cb8c3ea76a6e
Instruction ID: 8e296297f82087dfe65852ddcda8075874d5b04e797991ab2645d11f69411d79
Opcode Fuzzy Hash: 9ab00138564560753740fde624b3eacba3508fd21e80e5ac97f7cb8c3ea76a6e
Instruction Fuzzy Hash: 8201867141820AFFEB215FA4DC08BAE7BB5FF05325F200064FA16A21A1CB311E52BB50

Function 008F1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008F187F
UnloadUserProfile.USERENV(?,?), ref: 008F188B
CloseHandle.KERNEL32(?), ref: 008F1894
CloseHandle.KERNEL32(?), ref: 008F189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008F18A5
HeapFree.KERNEL32(00000000), ref: 008F18AC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2b8441044dd6da01261c9ebb56d09458b8a5b60d229e60207c9768dfa2afa097
Instruction ID: 9366f82320da1377446cc83df21c79aa5d93bb69bdba0f6ee770553e3302b352
Opcode Fuzzy Hash: 2b8441044dd6da01261c9ebb56d09458b8a5b60d229e60207c9768dfa2afa097
Instruction Fuzzy Hash: EFE0E5B601C501BBDB115FA1ED0D90EBF39FF49B22B208620F22581075CB329432EF50

Function 008FC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00897620: _wcslen.LIBCMT ref: 00897625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008FC6EE
_wcslen.LIBCMT ref: 008FC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008FC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008FC7CA

Strings

0, xrefs: 008FC6AF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 183e0f737d1714db413afec8af686f8840e0b0d7f4e72c4b012118100c8f8855
Instruction ID: 9dc2b56abebf46eddb74e9a0b7973a0833bec75c3f91d596068b0da56ccf200c
Opcode Fuzzy Hash: 183e0f737d1714db413afec8af686f8840e0b0d7f4e72c4b012118100c8f8855
Instruction Fuzzy Hash: E751FF7161830C9BD714AF3CCA84A7B77E4FF89314F080A2DFA91D21A0DB64DA04CB52

Function 0091AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0091AEA3

Part of subcall function 00897620: _wcslen.LIBCMT ref: 00897625

GetProcessId.KERNEL32(00000000), ref: 0091AF38
CloseHandle.KERNEL32(00000000), ref: 0091AF67

Strings

<, xrefs: 0091AE6B
@, xrefs: 0091AE72

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: edd09bffa8cc82945237127ccadd4c621a6844384a685d5a6e65eead57ca5fb4
Instruction ID: a0c46bd643ca9c00889b24b1f5d8d383344979f7e2bd875f09d352614bc38b43
Opcode Fuzzy Hash: edd09bffa8cc82945237127ccadd4c621a6844384a685d5a6e65eead57ca5fb4
Instruction Fuzzy Hash: 87713775A006199FCB14EF58C484A9EBBF4FF08314F048499E816AB3A2C775ED85CB92

Function 008F719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008F7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008F723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008F724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008F72CF

Strings

DllGetClassObject, xrefs: 008F7242

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 279d0af7ee091cada4c303505f3116fc89a0e2fc0ca3d8f4bba1ac5372c4bc2e
Instruction ID: 36f87cb9f829e51b57e1f5932161cd46d6297e31bde84e300c10442857d4c881
Opcode Fuzzy Hash: 279d0af7ee091cada4c303505f3116fc89a0e2fc0ca3d8f4bba1ac5372c4bc2e
Instruction Fuzzy Hash: 8C416471604208DFEB15CF64C885AAA7BB9FF44314F1480ADBE06DF20AD7B1D945DBA0

Function 00923D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00923E35
IsMenu.USER32(?), ref: 00923E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00923E92
DrawMenuBar.USER32 ref: 00923EA5

Strings

0, xrefs: 00923D89

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 2ad7abd2a4ad207f45cd08c01df3d9a2624ca250d76648dd510d55eb3ecc3a0a
Instruction ID: 7f9a09f8ccb554807fb5ae09e4c9835d687979b188446115cd6d806225fd61d6
Opcode Fuzzy Hash: 2ad7abd2a4ad207f45cd08c01df3d9a2624ca250d76648dd510d55eb3ecc3a0a
Instruction Fuzzy Hash: 52416A75A10219AFDB10DF50E884EAABBB9FF48350F058029F905A7250D738EE49DF91

Function 008F1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008F1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008F1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 008F1EA9

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

Strings

ListBox, xrefs: 008F1E25
ComboBox, xrefs: 008F1DF0

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: f8d133c539a0a970faef15ca90a1c1fdaea7ab15a46f7c2b7801d2cae6b2a9a2
Instruction ID: f879df4a10f91db22a8f3084f8c8e93f623f407823ccb268df519e9a891be1ad
Opcode Fuzzy Hash: f8d133c539a0a970faef15ca90a1c1fdaea7ab15a46f7c2b7801d2cae6b2a9a2
Instruction Fuzzy Hash: A521E571A00108BADF14ABB9DC59CFFB7B8FF45364B144129F925E71E1DB34490AD621

Function 0091C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0091C9F1
_wcslen.LIBCMT ref: 0091CA68
_wcslen.LIBCMT ref: 0091CA9E
_wcslen.LIBCMT ref: 0091CAF9
_wcslen.LIBCMT ref: 0091CB2F
_wcslen.LIBCMT ref: 0091CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0091CA62, 0091CA67
HKLM, xrefs: 0091CA98, 0091CA9D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: d05cd5052c6ec766e95dba83dcc5512d63568ef22aa44275a4176e8522b047b4
Instruction ID: 2780a61768faa067b5988f1ce78ee565d3f6a1791d38de8d0c7d83cbf89c5683
Opcode Fuzzy Hash: d05cd5052c6ec766e95dba83dcc5512d63568ef22aa44275a4176e8522b047b4
Instruction Fuzzy Hash: 763148B3B8016D4BCB22EF6D99400FE3399AFA1740F090029EC55AB345E670CEC4D3A1

Function 00922F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00922F8D
LoadLibraryW.KERNEL32(?), ref: 00922F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00922FA9
DestroyWindow.USER32(?), ref: 00922FB1

Strings

SysAnimate32, xrefs: 00922F68

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: c8ef3c2749f503ebb21a8fb4040a25deb044eb97a6a295d9d45c29a0f453641e
Instruction ID: 17a8b5ca5daf193e63c7f3f14043255c30bf4c8ec3b5813a290b7c59d7391452
Opcode Fuzzy Hash: c8ef3c2749f503ebb21a8fb4040a25deb044eb97a6a295d9d45c29a0f453641e
Instruction Fuzzy Hash: 4521AE71204215BBEB208F64ED80FFB77BDEB59364F100618F950D2198D771DC51A760

Function 008B4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008B4D1E,008C28E9,?,008B4CBE,008C28E9,009588B8,0000000C,008B4E15,008C28E9,00000002), ref: 008B4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008B4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,008B4D1E,008C28E9,?,008B4CBE,008C28E9,009588B8,0000000C,008B4E15,008C28E9,00000002,00000000), ref: 008B4DC3

Strings

CorExitProcess, xrefs: 008B4D98
mscoree.dll, xrefs: 008B4D86

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 57d2189672784ec5dbc28f44ae14053a8234771764cdb62c03eaacbe2d800155
Instruction ID: 219a1ab693b85528c9f5fc67158d99352c3ecb95ecacb7628ea07242050373e8
Opcode Fuzzy Hash: 57d2189672784ec5dbc28f44ae14053a8234771764cdb62c03eaacbe2d800155
Instruction Fuzzy Hash: B2F0AF70A14208BBDB209F90DC0ABEEBBB4EF44752F0400A4F806E22A1CB305941EF90

Function 00894E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00894EDD,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00894EAE
FreeLibrary.KERNEL32(00000000,?,?,00894EDD,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894EC0

Strings

kernel32.dll, xrefs: 00894E94
Wow64DisableWow64FsRedirection, xrefs: 00894EA8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: bb3764242af25ccf8875f94623771d38bf81281cd4fe5137e1873f013118601e
Instruction ID: a9076c19f736bd579ecdd0468ec54184cc2291c82589bf86e75f5e575a6dbaea
Opcode Fuzzy Hash: bb3764242af25ccf8875f94623771d38bf81281cd4fe5137e1873f013118601e
Instruction Fuzzy Hash: BDE08675A195225B973127257C19E5F6654FFC1B737090115FC05D2101DB60CD0791E0

Function 00894E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008D3CDE,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00894E74
FreeLibrary.KERNEL32(00000000,?,?,008D3CDE,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E87

Strings

kernel32.dll, xrefs: 00894E5B
Wow64RevertWow64FsRedirection, xrefs: 00894E6E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: a7b161a1ee95379cf5ea520ff6fd16736da689df435fe526461b3b213e3bd779
Instruction ID: ac867e7de419affc7306ff5c3b30c6475d0139bbc80c339d1563c5a03f36ff9f
Opcode Fuzzy Hash: a7b161a1ee95379cf5ea520ff6fd16736da689df435fe526461b3b213e3bd779
Instruction Fuzzy Hash: 8CD0C23292AA31574A322B257C09D8F2A18FF85B653490110BC04E2215CF20CD13D1D0

Function 00902947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00902C05
DeleteFileW.KERNEL32(?), ref: 00902C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00902C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00902CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00902CC0

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6c038e7b6e9fa14033b1c19014986e4c5197904344d7b6ad60976506669375b6
Instruction ID: e40e45d5a45c50a0efa2856419dc371cdbf4534d2142af3f02765566630b5abb
Opcode Fuzzy Hash: 6c038e7b6e9fa14033b1c19014986e4c5197904344d7b6ad60976506669375b6
Instruction Fuzzy Hash: DFB12071D00119AFDF25EBA4CC89EDEB7BDFF49350F1040A6FA09E6191EA349A448F61

Function 0091A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0091A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0091A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0091A468
CloseHandle.KERNEL32(?), ref: 0091A63D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 670eeeacfe6bcf670f1a57c3a9d5e6b77d524262143cab812119e40f78951984
Instruction ID: 647ecda9a7908990410be67196bf5de33223349a39720ad3b97c59b0e3bf0dc1
Opcode Fuzzy Hash: 670eeeacfe6bcf670f1a57c3a9d5e6b77d524262143cab812119e40f78951984
Instruction Fuzzy Hash: 80A17E716043009FD720EF28D886B2AB7E5FF84714F14885DF55ADB292DBB1EC418B92

Function 008FE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008FCF22,?), ref: 008FDDFD

Part of subcall function 008FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008FCF22,?), ref: 008FDE16

Part of subcall function 008FE199: GetFileAttributesW.KERNEL32(?,008FCF95), ref: 008FE19A

lstrcmpiW.KERNEL32(?,?), ref: 008FE473
MoveFileW.KERNEL32(?,?), ref: 008FE4AC
_wcslen.LIBCMT ref: 008FE5EB
_wcslen.LIBCMT ref: 008FE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008FE650

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f62705e242f4c59cfc6c754ebe85f4b3fc2837e9be5a967aacc7b7268909d68e
Instruction ID: b836fc3e9e8f83436bfbbf3786878aa04d47553aa0371e64b8f2bcb9f570db5b
Opcode Fuzzy Hash: f62705e242f4c59cfc6c754ebe85f4b3fc2837e9be5a967aacc7b7268909d68e
Instruction Fuzzy Hash: FF5120B24087495BC724EBA8DC819EB73DCFF94344F00492EF689D3161EE75A6888767

Function 0091B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 0091C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0091B6AE,?,?), ref: 0091C9B5
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091C9F1
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA68
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0091BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0091BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0091BB63
RegCloseKey.ADVAPI32(?,?), ref: 0091BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0091BBB3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 4853edd2dbe853952310f745895acb21110cef82d40ecd5ecb51613c4ff113eb
Instruction ID: 9686adb7d86a8109ce1aabb3238a91cba2389f20b442ecc980cadea9b9c0fbfc
Opcode Fuzzy Hash: 4853edd2dbe853952310f745895acb21110cef82d40ecd5ecb51613c4ff113eb
Instruction Fuzzy Hash: 5E61B571208245EFD714DF18C490E6ABBE9FF84308F54895DF4998B2A2DB31ED85CB92

Function 008F8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F8BCD
VariantClear.OLEAUT32 ref: 008F8C3E
VariantClear.OLEAUT32 ref: 008F8C9D
VariantClear.OLEAUT32(?), ref: 008F8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008F8D3B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e946fbc4b7f533ffc11d703534dcd48bbd09719877656c8e6a7d8c44340fe803
Instruction ID: 67283b9025c256c4d99c309737b2b1f6b31b8f42394fa46bf94832354ac0459a
Opcode Fuzzy Hash: e946fbc4b7f533ffc11d703534dcd48bbd09719877656c8e6a7d8c44340fe803
Instruction Fuzzy Hash: 315178B5A00619EFCB10DF68C884AAAB7F9FF89314B158559FA09DB354E730E911CF90

Function 00908AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00908BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00908BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00908C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00908C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00908C5F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 936bd38225cccfe8efededf6844648bca5417d9f9ba216b20f54dad3666444c7
Instruction ID: 5b6b4af71a70197069028913bcf2055378c93cef6636658d25bab227af701da3
Opcode Fuzzy Hash: 936bd38225cccfe8efededf6844648bca5417d9f9ba216b20f54dad3666444c7
Instruction Fuzzy Hash: 89513835A002149FDF11EF68C880A6ABBF5FF49314F088458E849AB3A2DB35ED51CB91

Function 00918EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00918F40
GetProcAddress.KERNEL32(00000000,?), ref: 00918FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00918FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00919032
FreeLibrary.KERNEL32(00000000), ref: 00919052

Part of subcall function 008AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00901043,?,753CE610), ref: 008AF6E6
Part of subcall function 008AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,008EFA64,00000000,00000000,?,?,00901043,?,753CE610,?,008EFA64), ref: 008AF70D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 8ffe4875f20ab971f211586ee2b5d99aebd584a0ccf18d4466f2bc52993746a9
Instruction ID: 7b01fa639d463f72f95aea343542e33fc65fc392ecf25cfcffb75f9318ea22a4
Opcode Fuzzy Hash: 8ffe4875f20ab971f211586ee2b5d99aebd584a0ccf18d4466f2bc52993746a9
Instruction Fuzzy Hash: 62515D35604209DFCB15EF58C4948EDBBF5FF49314B0980A8E806AB362DB31ED86CB91

Function 00926B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00926C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00926C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00926C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0090AB79,00000000,00000000), ref: 00926C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00926CC7

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 1df5a5c123dea75a92825240a165569080cf1547059d323ab24ef1d5f8bf6cac
Instruction ID: 38402f44143c325de33a25f304860ed3e37a8b041f4d4a3f14e708bc8bb4dfcb
Opcode Fuzzy Hash: 1df5a5c123dea75a92825240a165569080cf1547059d323ab24ef1d5f8bf6cac
Instruction Fuzzy Hash: 4E411975A08124AFD724EF28EC54FA97BA9EB09360F140268FAD5E76E4C371ED41DA40

Function 008C2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008C20C3
_free.LIBCMT ref: 008C20E3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1001099342ee0e75326a010fbac857561d4084ce84ddb9916e62635b5a68112f
Instruction ID: c9996cdf585df99e861454ddd6486121cd2dfc26f8f375058236e0b607dcd33c
Opcode Fuzzy Hash: 1001099342ee0e75326a010fbac857561d4084ce84ddb9916e62635b5a68112f
Instruction Fuzzy Hash: 3641AC72A002049FDB24DFB8C881F59B7B5FF89314F1545ADE615EB292DA31E901CB81

Function 008A912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008A9141
ScreenToClient.USER32(00000000,?), ref: 008A915E
GetAsyncKeyState.USER32(00000001), ref: 008A9183
GetAsyncKeyState.USER32(00000002), ref: 008A919D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9461139d6277a8b5c4af5de617da8afdb5bbd3f372f5b3196869e30a8cec38db
Instruction ID: ada97c0dbfb87d778ce59bc92143b4b8b4b32aaf5670809ff9b06338621777b9
Opcode Fuzzy Hash: 9461139d6277a8b5c4af5de617da8afdb5bbd3f372f5b3196869e30a8cec38db
Instruction Fuzzy Hash: 78417D71A0C65AFBDF159F68C848BEEB774FF06324F20821AE469E7290C7346950DB91

Function 00903874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009038CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00903922
TranslateMessage.USER32(?), ref: 0090394B
DispatchMessageW.USER32(?), ref: 00903955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00903966

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b6ef675ebc704942df552debba786d1ad856a8f3874756b81c86cd44180c630b
Instruction ID: 6723ec51ac6f82d924e7cfe5409d539c65ddb55a0b94889c800be323648f33e2
Opcode Fuzzy Hash: b6ef675ebc704942df552debba786d1ad856a8f3874756b81c86cd44180c630b
Instruction Fuzzy Hash: C531B370928341DFEB39CB359949FB637ACAB05304F08856DE472C21E0E3F49A85EB51

Function 0090CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0090C21E,00000000), ref: 0090CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0090CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0090C21E,00000000), ref: 0090CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0090C21E,00000000), ref: 0090CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0090C21E,00000000), ref: 0090CFF2

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 56f4cce50f69470fd470f0e4d8800bddf7fce4228fda66de24f5dd78036a2ba3
Instruction ID: ffd49d1829d296ac4c12628e91b0cf321d674bb8a5bd388dadb51902435f500f
Opcode Fuzzy Hash: 56f4cce50f69470fd470f0e4d8800bddf7fce4228fda66de24f5dd78036a2ba3
Instruction Fuzzy Hash: 3D317AB1604206EFDB20DFA9C884AAFBBFDEF04351B10452EF616D2181DB30EE419B61

Function 008F1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008F1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008F19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008F19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008F19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008F19E2

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6bb881217acb38fe42ddb2cce22df4ce6871f358605b7b6f14137a4a0fc7b958
Instruction ID: e6b6df2bb3951edd50de96c3c03d1d11998ba801a70c3e9ea41bed13638d8faf
Opcode Fuzzy Hash: 6bb881217acb38fe42ddb2cce22df4ce6871f358605b7b6f14137a4a0fc7b958
Instruction Fuzzy Hash: 95318A71A1021DEFDB14CFB8C999AAE3BB5FB04315F504229FA21E72D1C7B09954DB90

Function 00925706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00925745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0092579D
_wcslen.LIBCMT ref: 009257AF
_wcslen.LIBCMT ref: 009257BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00925816

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 8256d361bcb5061a66a65b7e1ac5d08c3d6e9610825105fab9137ca77d1df4af
Instruction ID: 1d9666ce7efdd1eb66adc868745c91574878c5d5a9e11b646e81e3ffc1802278
Opcode Fuzzy Hash: 8256d361bcb5061a66a65b7e1ac5d08c3d6e9610825105fab9137ca77d1df4af
Instruction Fuzzy Hash: F921B675904628DADB209FA5EC85AEDBBBCFF44324F108216F929EB198D770C985CF50

Function 00910930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00910951
GetForegroundWindow.USER32 ref: 00910968
GetDC.USER32(00000000), ref: 009109A4
GetPixel.GDI32(00000000,?,00000003), ref: 009109B0
ReleaseDC.USER32(00000000,00000003), ref: 009109E8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 06998ed2f48ea3e09dcf7163dc4beaf85a85ea81796c49116a935ffa5c75f7c4
Instruction ID: fc889a01492ca9adfea521cf862d1981071a8fcec171d842f30157e5b80be1bd
Opcode Fuzzy Hash: 06998ed2f48ea3e09dcf7163dc4beaf85a85ea81796c49116a935ffa5c75f7c4
Instruction Fuzzy Hash: E321C375600204AFD714EF68D884AAEBBF9FF84740F048428F84AD7762CB70AC44DB90

Function 008CCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008CCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008CCDE9

Part of subcall function 008C3820: RtlAllocateHeap.NTDLL(00000000,?,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6,?,00891129), ref: 008C3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008CCE0F
_free.LIBCMT ref: 008CCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008CCE31

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a034f443395a7efa69df6fc338c9c9c803142cbef118e70b238a58928e623ca1
Instruction ID: 3d73f9b554fad4a2e0bb1596c8c476f08a29b4d2e9e5b0b9c932c01681ba3238
Opcode Fuzzy Hash: a034f443395a7efa69df6fc338c9c9c803142cbef118e70b238a58928e623ca1
Instruction Fuzzy Hash: 0701D4B26056157F232116BAAC88E7F6A7DFEC7BA1315012DF909C7201EB71CD0291F0

Function 008A9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008A9693
SelectObject.GDI32(?,00000000), ref: 008A96A2
BeginPath.GDI32(?), ref: 008A96B9
SelectObject.GDI32(?,00000000), ref: 008A96E2

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d0407b687efd80d9f58b1909e6e537fc7006cfd32cf3123b871ed927c97c7954
Instruction ID: 6a1816ec7d534e1a8ac2de670f15f3d82c4d3534b3e21bc1eebd86c87e8a9797
Opcode Fuzzy Hash: d0407b687efd80d9f58b1909e6e537fc7006cfd32cf3123b871ed927c97c7954
Instruction Fuzzy Hash: 82217F7082E305EBEF119F68ED157A93BA8FF22355F18021AF450E61A1D3B05891EF94

Function 008F5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008F5726
_memcmp.LIBVCRUNTIME ref: 008F5744
_memcmp.LIBVCRUNTIME ref: 008F5757
_memcmp.LIBVCRUNTIME ref: 008F576F
_memcmp.LIBVCRUNTIME ref: 008F5787

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c4a173d51d62db05dab024dd6f6a04a15afea57be95124c231341d7269c4a20a
Instruction ID: 67f9b8b4b3f4b2716e3f6f5c0dc6c0ab026919c34c800428fced8593851aac38
Opcode Fuzzy Hash: c4a173d51d62db05dab024dd6f6a04a15afea57be95124c231341d7269c4a20a
Instruction Fuzzy Hash: 2201B562645A1DBBD608A525AD92FFB739CFB65398F504030FF09DE341F764ED1082A1

Function 008C2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,008BF2DE,008C3863,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6), ref: 008C2DFD
_free.LIBCMT ref: 008C2E32
_free.LIBCMT ref: 008C2E59
SetLastError.KERNEL32(00000000,00891129), ref: 008C2E66
SetLastError.KERNEL32(00000000,00891129), ref: 008C2E6F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2df209b11a80dd567f5c274873663bca9bd5edacc30bb7791281583b4ec42dd9
Instruction ID: bf2116d3df90e41343924c1d8d59a0181fb843271b4df70c654ae7389176c533
Opcode Fuzzy Hash: 2df209b11a80dd567f5c274873663bca9bd5edacc30bb7791281583b4ec42dd9
Instruction Fuzzy Hash: 6201F476209B046BCA2267796C45F2F267DFBC13B6B20442CF421F21D3EB30CC065121

Function 008F000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?,?,008F035E), ref: 008F002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?), ref: 008F0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?), ref: 008F0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?), ref: 008F0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?), ref: 008F0070

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3c59fabc5d1f2be3a4f8ae39bd8c1197525a8071cd0381f4eb8bd16da40595ef
Instruction ID: 996d81a607fe431b0494c991840a1f8bfc2b7d8be3bd84f0a2ba8ac2306009da
Opcode Fuzzy Hash: 3c59fabc5d1f2be3a4f8ae39bd8c1197525a8071cd0381f4eb8bd16da40595ef
Instruction Fuzzy Hash: BA0171B2610608BFDB204F64DC04BAE7AADEB84751F144114FA05D2211EB71DD459BA0

Function 008FE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 008FE997
QueryPerformanceFrequency.KERNEL32(?), ref: 008FE9A5
Sleep.KERNEL32(00000000), ref: 008FE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 008FE9B7
Sleep.KERNEL32 ref: 008FE9F3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: af1b562f98bf66f7b4a1a1d62c8abf7aeeb487b37fbb805fdb5e7419e666fd68
Instruction ID: 7834fbcbb7eedc4f9506254d4788c0ef7d379653e8b186cd35a6a7eeecee5058
Opcode Fuzzy Hash: af1b562f98bf66f7b4a1a1d62c8abf7aeeb487b37fbb805fdb5e7419e666fd68
Instruction Fuzzy Hash: 35013571E09A2DDBCF10ABF4D849AEDBB78FB09700F000546E602F2261CB7096569BA1

Function 008F10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008F1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008F114D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 47f43c93035eee5af57bb43a6c12ce668e3074bac4f66ef9037bc1c75ac4b640
Instruction ID: b0e202b6b73844dc29a0a72f57d7ec85bb6dca52e81211b43f60cdaefbdc648f
Opcode Fuzzy Hash: 47f43c93035eee5af57bb43a6c12ce668e3074bac4f66ef9037bc1c75ac4b640
Instruction Fuzzy Hash: F7016DB9104205BFDF214F64DC4DA6A3B6EFF85360B100414FA41C3350DB31DC419A60

Function 008F0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008F0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008F0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008F0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008F0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008F1002

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e673f34a0e0819afe7bee31f064819c4e09d33a569848f1d91c6eda0c1a1cd8a
Instruction ID: 97448b9584348cb438b3f5d48a3c354d16ac5c9e7afff3853ad89acc9d50fa43
Opcode Fuzzy Hash: e673f34a0e0819afe7bee31f064819c4e09d33a569848f1d91c6eda0c1a1cd8a
Instruction Fuzzy Hash: 3DF0A9B6204305EBDB214FA49C4EF6A3BADFF89B62F200424FA05C7251CA30DC419A60

Function 008F1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008F102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008F1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008F1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008F104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008F1062

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f886856b2fb3f44aae107a1c3d516cb1e02c879986ad7b0b9b5883a13471a06e
Instruction ID: 070d71bfa0f79a19346e78b50a700fab24018a4a207f4fbfa06868335311854a
Opcode Fuzzy Hash: f886856b2fb3f44aae107a1c3d516cb1e02c879986ad7b0b9b5883a13471a06e
Instruction Fuzzy Hash: C9F0CDB5204305FBDB219FA4EC4DF6A3BADFF89761F200424FA05C7250DE30D8419A60

Function 0090030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 00900324
CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 00900331
CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 0090033E
CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 0090034B
CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 00900358
CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 00900365

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a70286d7a276c6f695caf05ed1656fc8b8be2b20623b2aabdeadd3834bfbd97e
Instruction ID: 276c55b596440314da5acc0843647361ac6e35d7cf47d2e9dce4a3a0b43bb3f3
Opcode Fuzzy Hash: a70286d7a276c6f695caf05ed1656fc8b8be2b20623b2aabdeadd3834bfbd97e
Instruction Fuzzy Hash: 5E01EE72800B019FCB31AF66D880902FBF9BFA03153148A3FD19692970C3B0A948DF80

Function 008CD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008CD752

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008CD764
_free.LIBCMT ref: 008CD776
_free.LIBCMT ref: 008CD788
_free.LIBCMT ref: 008CD79A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d80c708097eca318eea6d483ce4b90e4061137d5fc4d959bbf6389c6ded3a345
Instruction ID: e220a14fc45e069b7df2c685ff5378f8a168b71b0e6cce5ece74675722851d2e
Opcode Fuzzy Hash: d80c708097eca318eea6d483ce4b90e4061137d5fc4d959bbf6389c6ded3a345
Instruction Fuzzy Hash: 89F037B2558304AB8625FB69F9C6E1A7BFDFB04311BA5081DF048E7642CB30FC808A61

Function 008F5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008F5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 008F5C6F
MessageBeep.USER32(00000000), ref: 008F5C87
KillTimer.USER32(?,0000040A), ref: 008F5CA3
EndDialog.USER32(?,00000001), ref: 008F5CBD

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6511f8eb139255b77cdeed87096aac5d11d292b43a55f7a9237b721266b6b332
Instruction ID: 3d20906090c618459d25deeb3a0a387d6f8060e8a5cb43eb1af1dc74e0ebf390
Opcode Fuzzy Hash: 6511f8eb139255b77cdeed87096aac5d11d292b43a55f7a9237b721266b6b332
Instruction Fuzzy Hash: 0B018170514B08ABEB305B20DD5EFBA77B8FF00B06F040559A783E14E1DBF4A9899B91

Function 008C22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008C22BE

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008C22D0
_free.LIBCMT ref: 008C22E3
_free.LIBCMT ref: 008C22F4
_free.LIBCMT ref: 008C2305

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9f919aef6e75ff38344997cea10890333bd8590f4d90880da6e8ca4647b2b873
Instruction ID: fcf8f3d53e1d20d05e742ada8fada829316d2f76b2c9be80c436352b64ef00b2
Opcode Fuzzy Hash: 9f919aef6e75ff38344997cea10890333bd8590f4d90880da6e8ca4647b2b873
Instruction Fuzzy Hash: 26F03AB08693209FC612AF58BC41E093FB4F718762744050EF420D22F1CBB18911FFA5

Function 008A95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008A95D4
StrokeAndFillPath.GDI32(?,?,008E71F7,00000000,?,?,?), ref: 008A95F0
SelectObject.GDI32(?,00000000), ref: 008A9603
DeleteObject.GDI32 ref: 008A9616
StrokePath.GDI32(?), ref: 008A9631

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 122f25731a0fa83f256ecef8895bdbd307b6c5ea393627ae9111fe9819ece7ab
Instruction ID: a5f51ffb634a40b581750eb80dca655265090404dddb4d56790917903653e318
Opcode Fuzzy Hash: 122f25731a0fa83f256ecef8895bdbd307b6c5ea393627ae9111fe9819ece7ab
Instruction Fuzzy Hash: 6FF0313042D204EBEB265F55FE1D7683B65FB12362F088218F455954F1C7B04556FF60

Function 008C0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008C10F9
__freea.LIBCMT ref: 008C1117

Part of subcall function 008C1537: _free.LIBCMT ref: 008C154F

Strings

a/p, xrefs: 008C11DE
am/pm, xrefs: 008C117A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3caa4be8e072c86c4eb47f656362b12cf226671f3d50c6b1aecaf40434c3c379
Instruction ID: 60eeb540458e2c2d5863636a0b0b1195d138fd9e66eac892b798ebbca2836d80
Opcode Fuzzy Hash: 3caa4be8e072c86c4eb47f656362b12cf226671f3d50c6b1aecaf40434c3c379
Instruction Fuzzy Hash: EAD1BD3591024A8ADF249F68C8D9FBAB7B1FB07708F28415EE501DBA52D379DD80CB91

Function 00917B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 008B0242: EnterCriticalSection.KERNEL32(0096070C,00961884,?,?,008A198B,00962518,?,?,?,008912F9,00000000), ref: 008B024D
Part of subcall function 008B0242: LeaveCriticalSection.KERNEL32(0096070C,?,008A198B,00962518,?,?,?,008912F9,00000000), ref: 008B028A

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008B00A3: __onexit.LIBCMT ref: 008B00A9

__Init_thread_footer.LIBCMT ref: 00917BFB

Part of subcall function 008B01F8: EnterCriticalSection.KERNEL32(0096070C,?,?,008A8747,00962514), ref: 008B0202
Part of subcall function 008B01F8: LeaveCriticalSection.KERNEL32(0096070C,?,008A8747,00962514), ref: 008B0235

Strings

G, xrefs: 00917C7F
Variable must be of type 'Object'., xrefs: 00917C3A
5, xrefs: 00917C78

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 79e75b78452569b11b501a781bdac3075e63010b0838970c9cf9cb11eea8bc24
Instruction ID: 7aa298177f067df131bb56e170bef14bb37a814fc3d1c2a73f284fa7b4dc3ba9
Opcode Fuzzy Hash: 79e75b78452569b11b501a781bdac3075e63010b0838970c9cf9cb11eea8bc24
Instruction Fuzzy Hash: 73917A74B0420EAFCB14EF98D8819EDB7B5FF88304F148459F8469B291DB71AE81CB51

Function 008F2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008FB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008F21D0,?,?,00000034,00000800,?,00000034), ref: 008FB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008F2760

Part of subcall function 008FB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008F21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 008FB3F8

Part of subcall function 008FB32A: GetWindowThreadProcessId.USER32(?,?), ref: 008FB355
Part of subcall function 008FB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008F2194,00000034,?,?,00001004,00000000,00000000), ref: 008FB365
Part of subcall function 008FB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008F2194,00000034,?,?,00001004,00000000,00000000), ref: 008FB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008F27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008F281A

Strings

@, xrefs: 008F2832

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 5532e864ecb6f37e637ea34c78d954de26e0ade6a4c2252d4561cf38fc4465fa
Instruction ID: c383f6e20b7b1719edc9e24200a411f503b62a9e1fe7da3e8d31f211c34bf04a
Opcode Fuzzy Hash: 5532e864ecb6f37e637ea34c78d954de26e0ade6a4c2252d4561cf38fc4465fa
Instruction Fuzzy Hash: 42411B7290021CAFDB10DBA8CD46AEEBBB8FF09740F104095FA55B7181DB706E45CBA1

Function 008C172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 008C1769
_free.LIBCMT ref: 008C1834
_free.LIBCMT ref: 008C183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 008C1760, 008C1767, 008C1796, 008C17CE

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 930f1782384b36f21632587f5d8da5258ca59e78d7efa5ad08403f4632adf395
Instruction ID: 5f95644aebd25d4ce72e63cf962eb40b61bba765640776cd6d8a69a93b7cd1f5
Opcode Fuzzy Hash: 930f1782384b36f21632587f5d8da5258ca59e78d7efa5ad08403f4632adf395
Instruction Fuzzy Hash: 62316F75A44218AFDF21DF9998C9E9EBBFCFB86310B54416EF404D7212D6B0CA40DB91

Function 008FC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008FC306
DeleteMenu.USER32(?,00000007,00000000), ref: 008FC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00961990,00AA6EE8), ref: 008FC395

Strings

0, xrefs: 008FC2DF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 27473bd67a85d90174df70c257c2c72c8531020e13e6a9c75897c8f813619e43
Instruction ID: 103c0392ddeb9e4e725056d77e3c994912495326254ba3a46a0c80d52e38d346
Opcode Fuzzy Hash: 27473bd67a85d90174df70c257c2c72c8531020e13e6a9c75897c8f813619e43
Instruction Fuzzy Hash: 8A417B712083099BD720DF39D944A6ABBE4FF85354F14861DFAA5D7391D730AA04CA52

Function 00924416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0092CC08,00000000,?,?,?,?), ref: 009244AA
GetWindowLongW.USER32 ref: 009244C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009244D7

Strings

SysTreeView32, xrefs: 0092447C

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: eff2475c8fcdb0eea4b30f4e0a151a48680a388ce918a1fe73d328ffdc8111f1
Instruction ID: 4d67d0135ecbdda65020d03da9a3c98208c8d9745b9bd216646e67d99e81e131
Opcode Fuzzy Hash: eff2475c8fcdb0eea4b30f4e0a151a48680a388ce918a1fe73d328ffdc8111f1
Instruction Fuzzy Hash: 8C31BA71214625ABDF209E38EC45BEA7BA9EB09334F204714F975A21E4D770EC519B50

Function 0091304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0091335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00913077,?,?), ref: 00913378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0091307A
_wcslen.LIBCMT ref: 0091309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00913106

Strings

255.255.255.255, xrefs: 00913095, 0091309A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 14ddff50c709ee1b0552b4a304189ebc32e9a5971b62eae251812dd8259ecd0c
Instruction ID: 9aa60188fab69e354fc2bc79feb4820c1998bff5f1a7fe4ed7d9015d363fb410
Opcode Fuzzy Hash: 14ddff50c709ee1b0552b4a304189ebc32e9a5971b62eae251812dd8259ecd0c
Instruction Fuzzy Hash: AD31B2357042099FCB20CF29C585AE977F4EF58318F24C099E9159B392D771EE85C761

Function 00923EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00923F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00923F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00923F78

Strings

SysMonthCal32, xrefs: 00923F0B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c354afd905b0345a8f5acfb1c3442ddf27cf424fe2c203b58da740ed3505dc32
Instruction ID: ab3a7957af18ebda2469af9fd0ce7c60c36c62e8eff105e274c475867604fde2
Opcode Fuzzy Hash: c354afd905b0345a8f5acfb1c3442ddf27cf424fe2c203b58da740ed3505dc32
Instruction Fuzzy Hash: 8721EF32610229BBEF218F54EC42FEA3B79EF48718F110214FA05AB1D0D6B5AC55DB90

Function 00924653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00924705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00924713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0092471A

Strings

msctls_updown32, xrefs: 00924684

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: a41d9ea3c27f2922c80e6cb0d585bf47f36881c58f35dcee83abdfab01b684e8
Instruction ID: 996274fc62e9af973c04625607fd09e5bfb85faae05aef0d658af88744ca09fb
Opcode Fuzzy Hash: a41d9ea3c27f2922c80e6cb0d585bf47f36881c58f35dcee83abdfab01b684e8
Instruction Fuzzy Hash: B6215EB5604219AFDB10DF68ECC1DAB37ADEB5A3A4B040059FA14DB351CB70EC11DB60

Function 008F95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008F961D

Strings

#requireadmin, xrefs: 008F95D9
#OnAutoItStartRegister, xrefs: 008F95F3
#notrayicon, xrefs: 008F95B7

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 891f0e32181a6106f517108a1496d38977af736e923c903108b55c712ab51ed3
Instruction ID: d66520282380af791397b6f10f89494d4bc46a63f3068f3af4c5ac009ebb7f83
Opcode Fuzzy Hash: 891f0e32181a6106f517108a1496d38977af736e923c903108b55c712ab51ed3
Instruction Fuzzy Hash: E8213832104129A6D731BA389C12FB773DCFFA5304F144026FB89DB141EB559D45C296

Function 009237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00923840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00923850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00923876

Strings

Listbox, xrefs: 0092380F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 903ad6bc47a7ea7c9f9c38b7333a55f777521af78d38db5c34323c2eaca2f31d
Instruction ID: bb7f2a593fe41276362a9338c56a98038bcc772df979cba5d3116759fb34e168
Opcode Fuzzy Hash: 903ad6bc47a7ea7c9f9c38b7333a55f777521af78d38db5c34323c2eaca2f31d
Instruction Fuzzy Hash: A421D172610228BBEF218F64EC81FBB376EEF89754F10C124F9009B194C675DC528BA0

Function 009049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00904A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00904A5C
SetErrorMode.KERNEL32(00000000,?,?,0092CC08), ref: 00904AD0

Strings

%lu, xrefs: 00904A6F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f37deec56e36ecc44e0012fb885a0c07e9d500751041ad3f3180f8165a89e3bb
Instruction ID: 52583334355338b68ca4b17d1fdfb5540d3687894e3a4977e8198370ac9cba5f
Opcode Fuzzy Hash: f37deec56e36ecc44e0012fb885a0c07e9d500751041ad3f3180f8165a89e3bb
Instruction Fuzzy Hash: 19313075A04109AFDB10DF58C885EAE77F8EF44308F1480A9F905DB252D771ED46CB62

Function 009241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0092424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00924264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00924271

Strings

msctls_trackbar32, xrefs: 00924226

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c204212f5b2aab71b01fc1f58505fc567bfbb66cef6b27d9523dcac92ad1aa71
Instruction ID: 859b0fbdb49f8756b09a404f2614ce29490bdd408a37c71bb27523a74adc9c37
Opcode Fuzzy Hash: c204212f5b2aab71b01fc1f58505fc567bfbb66cef6b27d9523dcac92ad1aa71
Instruction Fuzzy Hash: 0F110231240218BEEF209F69DC06FAB3BACEF95B64F010524FA55E20A0D2B1DC619B60

Function 008F2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

Part of subcall function 008F2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008F2DC5
Part of subcall function 008F2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 008F2DD6
Part of subcall function 008F2DA7: GetCurrentThreadId.KERNEL32 ref: 008F2DDD
Part of subcall function 008F2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008F2DE4

GetFocus.USER32 ref: 008F2F78

Part of subcall function 008F2DEE: GetParent.USER32(00000000), ref: 008F2DF9

GetClassNameW.USER32(?,?,00000100), ref: 008F2FC3
EnumChildWindows.USER32(?,008F303B), ref: 008F2FEB

Strings

%s%d, xrefs: 008F2FFF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 5e3ccc3fa9890d249e6728b6157e5ccd4c203776fd56e31437d4331902cff76d
Instruction ID: 64e0b0b8af70665d11d9ff2456bd06aa49a0bed4a8f783f184a6d5421a6be198
Opcode Fuzzy Hash: 5e3ccc3fa9890d249e6728b6157e5ccd4c203776fd56e31437d4331902cff76d
Instruction Fuzzy Hash: B11190B16002096BCF14BF788C85EFD376AFF84314F044075BA09EB252EE70994A9B71

Function 00925882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009258C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009258EE
DrawMenuBar.USER32(?), ref: 009258FD

Strings

0, xrefs: 0092588F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: ac3a385fb4b000c95b301116d84a4e400fe7edb6a3cc20093f0bc599630e6180
Instruction ID: 8fab075a7c3c769a971878585ea293976800cc36107eb0c203718a32f7588d0a
Opcode Fuzzy Hash: ac3a385fb4b000c95b301116d84a4e400fe7edb6a3cc20093f0bc599630e6180
Instruction Fuzzy Hash: AC01C031514228EFDB209F51EC44FAEBBB8FF45360F108099F848DA165DB308A94EF21

Function 008ED3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 008ED3BF
FreeLibrary.KERNEL32 ref: 008ED3E5

Strings

GetSystemWow64DirectoryW, xrefs: 008ED3B9
X64, xrefs: 008ED2A8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 74849476ac59ca70e728ae875e0f080d4ca115f6beb6b6416f8e90d6ea32c305
Instruction ID: 91ced510ec9539a3fb5908540f2794317a951b155fa1ba4f4062fcc059781c8c
Opcode Fuzzy Hash: 74849476ac59ca70e728ae875e0f080d4ca115f6beb6b6416f8e90d6ea32c305
Instruction Fuzzy Hash: F9F0ABB190EB71DBD33152134C5496E3320FF03706B588115FA02E624AE720CD4E82E2

Function 008F007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fd82c879ba3e2ce31200dd62e86fd83288cb32c85ae1efcdf299202c12ba24
Instruction ID: 4130767e3c14e18ebe636a3cab7592b375abbdb4300e7b0c8d3d5072d138eb31
Opcode Fuzzy Hash: 82fd82c879ba3e2ce31200dd62e86fd83288cb32c85ae1efcdf299202c12ba24
Instruction Fuzzy Hash: ADC12A75A0021AEFDB15CFA4C894ABEB7B5FF48704F208598E605EB252D731ED81DB90

Function 008C3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008C3F0B
__alldvrm.LIBCMT ref: 008C410C
__alldvrm.LIBCMT ref: 008C412E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: c08e07e51b4fd94e79180bc41c65dcaf2998f5b0c10ab6e6b2f9086b70116184
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 9CA13571E107869FDB21CE18C8A1FAABBF5FF65350F18816EE585DB282C634C982C751

Function 0091342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00913459
CoUninitialize.OLE32 ref: 00913463
VariantInit.OLEAUT32(?), ref: 0091346E
VariantClear.OLEAUT32(?), ref: 0091371B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 65f288a40c5ab73a70cac958fc35b6087887df398d59b48e7b6305a1d4620310
Instruction ID: 742f202015e15bc9f9fc1bf0996dde310161d19123fc40c7d44675c433d21e2c
Opcode Fuzzy Hash: 65f288a40c5ab73a70cac958fc35b6087887df398d59b48e7b6305a1d4620310
Instruction Fuzzy Hash: E1A13A753082049FDB10EF28C585A6AB7E5FF88710F098859F98ADB362DB30ED45CB52

Function 008F0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0092FC08,?), ref: 008F05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0092FC08,?), ref: 008F0608
CLSIDFromProgID.OLE32(?,?,00000000,0092CC40,000000FF,?,00000000,00000800,00000000,?,0092FC08,?), ref: 008F062D
_memcmp.LIBVCRUNTIME ref: 008F064E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9bad9861abfa99440f53a438982106ed930d28ce6e0eba9738933c111f0763b0
Instruction ID: 26ce51c5aff3e83f511b9377f9417743ca22f17b4ca6402062f8b1063042c107
Opcode Fuzzy Hash: 9bad9861abfa99440f53a438982106ed930d28ce6e0eba9738933c111f0763b0
Instruction Fuzzy Hash: 1481D975A00209EFCB04DFA4C984DEEB7B9FF89315B204558E616EB251DB71AE06CF60

Function 0091A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0091A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0091A6BA

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Process32NextW.KERNEL32(00000000,?), ref: 0091A79C
CloseHandle.KERNEL32(00000000), ref: 0091A7AB

Part of subcall function 008ACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,008D3303,?), ref: 008ACE8A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 00dbfd6d3a97aa11d443a4113d710079b78675a4f079ad7a72a13ac126ef109f
Instruction ID: 86b233e5b4786c7cd723c5340a458d6f8b93d5101d43d6bb31081086cbb7fa6f
Opcode Fuzzy Hash: 00dbfd6d3a97aa11d443a4113d710079b78675a4f079ad7a72a13ac126ef109f
Instruction Fuzzy Hash: B5512B71608300AFD710EF28C886A6BBBE8FF89754F44492DF595D7252EB70E904CB92

Function 008D1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008D14C0

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 89070ddf0fdda9ee470bb391120bc39a19c4b3944ebb2fb53891fad9bfcd25a4
Instruction ID: 1a1279d3e089065fa9cfddb69c944f2229467312d94438136aa2f59905e33132
Opcode Fuzzy Hash: 89070ddf0fdda9ee470bb391120bc39a19c4b3944ebb2fb53891fad9bfcd25a4
Instruction Fuzzy Hash: 47412475A00504BBDF256ABD9C4EAAE3BB7FF41330F24432BF418D2392E67488415267

Function 00926278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009262E2
ScreenToClient.USER32(?,?), ref: 00926315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00926382

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 6b30a8aa40d2b6126ed9fbf550d9b704b5868d3a4114cee7ed26577e57fc5910
Instruction ID: 798bface995f71b5cf6cd1ac41f0f252c0ad0f7197750c5d839f295922deb718
Opcode Fuzzy Hash: 6b30a8aa40d2b6126ed9fbf550d9b704b5868d3a4114cee7ed26577e57fc5910
Instruction Fuzzy Hash: A6512B74900219EFCF24DF68E880AAE7BB9FF45360F108159F855976A4D730AD41DB90

Function 00911AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00911AFD
WSAGetLastError.WSOCK32 ref: 00911B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00911B8A
WSAGetLastError.WSOCK32 ref: 00911B94

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 601bca06601fcda3590bbf91bb3637ed9d92aff5db98ff84313f464c447f84b6
Instruction ID: 59caa3116eee64fede5f6db0402b6df154ed850fc9040ffe5ca55cc64c2faa40
Opcode Fuzzy Hash: 601bca06601fcda3590bbf91bb3637ed9d92aff5db98ff84313f464c447f84b6
Instruction Fuzzy Hash: 5141D5747402006FEB20AF24C886F6977E5FB44718F588458F6199F7D2D772ED818B91

Function 008CB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac22f416fec5f2bf2208fe80ca2d466cadaf261f1b52cd597e293bec2ca1e98
Instruction ID: e72b8d36d85f8e7ebf2f4de132728259fb73fa95fd62b10238296a765e08dc96
Opcode Fuzzy Hash: bac22f416fec5f2bf2208fe80ca2d466cadaf261f1b52cd597e293bec2ca1e98
Instruction Fuzzy Hash: 0041C175A04B04AFD7289F7CC842FAABBB9FB88710F10862EF141DB282D771D9018781

Function 009056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00905783
GetLastError.KERNEL32(?,00000000), ref: 009057A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009057CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009057FA

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e3e8e560df0a048135829d047a4dc9211116fbecbbe0354182028d773b3090f5
Instruction ID: 5385bc8e31355a438028d2b0756fcd2278fc72a1f741eea3d6697b52e461d3f2
Opcode Fuzzy Hash: e3e8e560df0a048135829d047a4dc9211116fbecbbe0354182028d773b3090f5
Instruction Fuzzy Hash: 2B410935614610DFCF11EF19C544A1EBBE5FF89320B1A8488E84A9B362CB34FD419B92

Function 008CD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,008B6D71,00000000,00000000,008B82D9,?,008B82D9,?,00000001,008B6D71,8BE85006,00000001,008B82D9,008B82D9), ref: 008CD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008CD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008CD9AB
__freea.LIBCMT ref: 008CD9B4

Part of subcall function 008C3820: RtlAllocateHeap.NTDLL(00000000,?,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6,?,00891129), ref: 008C3852

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9c1ec47517e66a7a9cac3521f4e9b84053197cb04568473857172fabddd0a503
Instruction ID: f079282be524134ace47738c51287a74fd8e35d494c0b509a7050da71d6da63f
Opcode Fuzzy Hash: 9c1ec47517e66a7a9cac3521f4e9b84053197cb04568473857172fabddd0a503
Instruction Fuzzy Hash: 0C31AD72A0020AABDF24EF69DC85EAE7BB5FB41310B05426CFC04DA291EB35CD55CB91

Function 009252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00925352
GetWindowLongW.USER32(?,000000F0), ref: 00925375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00925382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009253A8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d5eabcf720bd80113ef99abef95dbf76e888e3d428370175af2a221caceb8894
Instruction ID: e9e29a58f8dca7897d40da7ea534f2dfb486d59b99833f767306e52895e082f7
Opcode Fuzzy Hash: d5eabcf720bd80113ef99abef95dbf76e888e3d428370175af2a221caceb8894
Instruction Fuzzy Hash: 6331F670A69A28EFEF34DF14EC05FE83769AB043D0F596401FA10961E4C7B49D40EB81

Function 008FAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 008FABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 008FAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 008FAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 008FACC6

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c68e3abd3e4f788650584ce442043a80a16b798156a7cf98bf845534ad52238f
Instruction ID: a6fac4739232d13d0a6ebad90cf6ba2d9becfb0c7119e95d927b2228646300dd
Opcode Fuzzy Hash: c68e3abd3e4f788650584ce442043a80a16b798156a7cf98bf845534ad52238f
Instruction Fuzzy Hash: 583116B0A0471CAFEB388B75CC047FE7AA5FB49320F04421AE689D22D0D37589859752

Function 00927674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0092769A
GetWindowRect.USER32(?,?), ref: 00927710
PtInRect.USER32(?,?,00928B89), ref: 00927720
MessageBeep.USER32(00000000), ref: 0092778C

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1a7f5894a961813bf3d387967eea9afa8ce53fa52048ae5c671b2d20f44eb78c
Instruction ID: bfddaac8164bbb246eb0ffafecfbecf5c625249e7f449b394fe14045c6415a16
Opcode Fuzzy Hash: 1a7f5894a961813bf3d387967eea9afa8ce53fa52048ae5c671b2d20f44eb78c
Instruction Fuzzy Hash: BA41BF34609225DFCB11CF98E894EA9B7F8FF49304F1840A8E814EB269C370E942DF90

Function 009216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009216EB

Part of subcall function 008F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008F3A57
Part of subcall function 008F3A3D: GetCurrentThreadId.KERNEL32 ref: 008F3A5E
Part of subcall function 008F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008F25B3), ref: 008F3A65

GetCaretPos.USER32(?), ref: 009216FF
ClientToScreen.USER32(00000000,?), ref: 0092174C
GetForegroundWindow.USER32 ref: 00921752

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 569325f60ef5cadb35debbecf0baab3b7162b148bde2ece5391a56d5869d3013
Instruction ID: f7e41268c6ca2ba7f501f07f915b7499d5e9f874fb4aeb573265cd53d5c692f0
Opcode Fuzzy Hash: 569325f60ef5cadb35debbecf0baab3b7162b148bde2ece5391a56d5869d3013
Instruction Fuzzy Hash: 98314171D00159AFCB10EFAAC881CAEB7FDFF88304B548069E415E7211EB319E45CBA1

Function 008FDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00897620: _wcslen.LIBCMT ref: 00897625

_wcslen.LIBCMT ref: 008FDFCB
_wcslen.LIBCMT ref: 008FDFE2
_wcslen.LIBCMT ref: 008FE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 008FE018

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 13082c45e68b9fdc1df9807538e2155f31a28104065b44cb4cfaca81e2e2beff
Instruction ID: 122450ede1d2ba2a19eebcac1bc8d72507a6c5faf3094ba1e68eb5605a7e3f60
Opcode Fuzzy Hash: 13082c45e68b9fdc1df9807538e2155f31a28104065b44cb4cfaca81e2e2beff
Instruction Fuzzy Hash: 3E219471900618AFCB219FA8D982BBE77F8FF85750F144065EA05FB352D6709E41CBA2

Function 00928FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

GetCursorPos.USER32(?), ref: 00929001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008E7711,?,?,?,?,?), ref: 00929016
GetCursorPos.USER32(?), ref: 0092905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008E7711,?,?,?), ref: 00929094

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c69698f5cee9c2f3ecf27dabacb501b6cdb5bd8aaa9ac061e8e31e3811d93e73
Instruction ID: 32ba5bd4a1cd5ccaf7a5c060a8f8ec7ddd98a88ba959f6d9f5d89c4e1622b8b7
Opcode Fuzzy Hash: c69698f5cee9c2f3ecf27dabacb501b6cdb5bd8aaa9ac061e8e31e3811d93e73
Instruction Fuzzy Hash: C521D131611028EFDB258F98EC58EFA3BB9FF8A360F044159F90587261C3359991EBA0

Function 008FD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0092CB68), ref: 008FD2FB
GetLastError.KERNEL32 ref: 008FD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 008FD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0092CB68), ref: 008FD376

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 7e0b90c92b7e803adc11f673bad25db16fbfd1bae55d82375e3bc6a9f1719332
Instruction ID: 0f260e00316c9bdcbc2e5c2c4ec768b623e05182feebf32697b9a5932b1ee261
Opcode Fuzzy Hash: 7e0b90c92b7e803adc11f673bad25db16fbfd1bae55d82375e3bc6a9f1719332
Instruction Fuzzy Hash: 43217E715093059F8710EF38C88186E77E5FE55324F244A1DF6A9C32A1EB31D946CB93

Function 008F1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008F102A
Part of subcall function 008F1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008F1036
Part of subcall function 008F1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008F1045
Part of subcall function 008F1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008F104C
Part of subcall function 008F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008F1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008F15BE
_memcmp.LIBVCRUNTIME ref: 008F15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F1617
HeapFree.KERNEL32(00000000), ref: 008F161E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b4e1d2e701957b8902b02fc8172f477efa40ffa9767dfb803465ae2afad638e1
Instruction ID: c8f79198c2246d97357567c91d74550cb1ecc7df74b7e8ceb5b42ce836940ce2
Opcode Fuzzy Hash: b4e1d2e701957b8902b02fc8172f477efa40ffa9767dfb803465ae2afad638e1
Instruction Fuzzy Hash: D6215571E00108EBDF10DFA4C949BEEB7B8FF94344F084459E541EB241E735AA05DBA0

Function 00922782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0092280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00922824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00922832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00922840

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 99249512fe70acd0bb03a3135c3ded2759685ec4f0ee22dea253fe8272d92883
Instruction ID: a37063b9e522e960bc4e8f15effb0a8112a9cf4468e2279113067c982a12e8a0
Opcode Fuzzy Hash: 99249512fe70acd0bb03a3135c3ded2759685ec4f0ee22dea253fe8272d92883
Instruction Fuzzy Hash: 0E21D331209121BFD714AB24EC44FAA7B99EF85324F148258F426CB6E2CB75FC42CB90

Function 008F78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008F8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,008F790A,?,000000FF,?,008F8754,00000000,?,0000001C,?,?), ref: 008F8D8C
Part of subcall function 008F8D7D: lstrcpyW.KERNEL32(00000000,?,?,008F790A,?,000000FF,?,008F8754,00000000,?,0000001C,?,?,00000000), ref: 008F8DB2
Part of subcall function 008F8D7D: lstrcmpiW.KERNEL32(00000000,?,008F790A,?,000000FF,?,008F8754,00000000,?,0000001C,?,?), ref: 008F8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,008F8754,00000000,?,0000001C,?,?,00000000), ref: 008F7923
lstrcpyW.KERNEL32(00000000,?,?,008F8754,00000000,?,0000001C,?,?,00000000), ref: 008F7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,008F8754,00000000,?,0000001C,?,?,00000000), ref: 008F7984

Strings

cdecl, xrefs: 008F797B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 7fffa8f558c4bbf101a560a9c1c034e57f11ba9008176e73b10f1a863af6ed88
Instruction ID: 59872374963902ac81e67198721e3df609d09ca7b130a801a4debf293a721292
Opcode Fuzzy Hash: 7fffa8f558c4bbf101a560a9c1c034e57f11ba9008176e73b10f1a863af6ed88
Instruction Fuzzy Hash: 0611293A304305AFEB259F39CC45D7A77A5FF85350B40402AFA02CB2A5EB759811D791

Function 00927CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00927D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00927D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00927D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0090B7AD,00000000), ref: 00927D6B

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 3fa4e5a4fea251a3521ddaba4b3045c0b620fef0b8f3f1a3b76c791afe5d33a4
Instruction ID: 389961a5b4fcd88ce375810800a1ca7647df326802876eae9373a06a2de5e052
Opcode Fuzzy Hash: 3fa4e5a4fea251a3521ddaba4b3045c0b620fef0b8f3f1a3b76c791afe5d33a4
Instruction Fuzzy Hash: 4111D231119625AFCB108F68EC04E6A7BA9AF46360B154728F835E72F4D7309951DB50

Function 00925660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009256BB
_wcslen.LIBCMT ref: 009256CD
_wcslen.LIBCMT ref: 009256D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00925816

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 6453d33c1820feb9e89b8dc1a04fe909a708f28de5743986acc7560e81473262
Instruction ID: dd84743543f980d5c2b708a66201f49f14c492795880fed0937b23c2d64866a8
Opcode Fuzzy Hash: 6453d33c1820feb9e89b8dc1a04fe909a708f28de5743986acc7560e81473262
Instruction Fuzzy Hash: 6211387560062896DF20DF65EC85AFE77BCFF10360F504426F915D6199E774CA84CB60

Function 008C1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb6d26c475b6a8b5b92af036aa4ddda19e2b10b635d6c81d6fac47d33a00bf7
Instruction ID: a62a5d7f87af05d0f2a068882d801cb21cdb35a7e05092f79ac88993496767e2
Opcode Fuzzy Hash: 3fb6d26c475b6a8b5b92af036aa4ddda19e2b10b635d6c81d6fac47d33a00bf7
Instruction Fuzzy Hash: 31012CB2209A1A7EFA2126786CC5F67666DFF423B8B35032DF622D11D7DA70CC5051A1

Function 008F1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008F1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008F1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008F1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008F1A8A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1dec06718db233bd0ca63044cb45a6e6d8dcaf9ca5d75fa99849ae18dd11ca30
Instruction ID: 750c48f9d343d9e45917f30a6592ac7c18023ee596236027b370e9a5d68159c7
Opcode Fuzzy Hash: 1dec06718db233bd0ca63044cb45a6e6d8dcaf9ca5d75fa99849ae18dd11ca30
Instruction Fuzzy Hash: C811F77A901229FFEF119BA5C985FADBB78FB08750F200091EA04B7290D7716E51DB94

Function 008FE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008FE1FD
MessageBoxW.USER32(?,?,?,?), ref: 008FE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008FE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008FE24D

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 216f156306e76b2a8a0dcc422c5471e22bacffaf61431cca212f425ee7992e78
Instruction ID: d31aab29ede730631f3d2aab7e3e9ce5c24457fdc85029fbcf95c8e5a5013109
Opcode Fuzzy Hash: 216f156306e76b2a8a0dcc422c5471e22bacffaf61431cca212f425ee7992e78
Instruction Fuzzy Hash: 481108B2918258BBD7119FB89C05EAE7FACFB45320F144619F925E3391E2B0990097A0

Function 008BD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,008BCFF9,00000000,00000004,00000000), ref: 008BD218
GetLastError.KERNEL32 ref: 008BD224
__dosmaperr.LIBCMT ref: 008BD22B
ResumeThread.KERNEL32(00000000), ref: 008BD249

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 2f9bfb831f534cbb8ce986e377c24d36baab95e0f4a2b5f1fda2a4f16dedf7a7
Instruction ID: 3d9176804ee7190e17d038734e6780790144f707bfa095af7e4cf304e8d54cab
Opcode Fuzzy Hash: 2f9bfb831f534cbb8ce986e377c24d36baab95e0f4a2b5f1fda2a4f16dedf7a7
Instruction Fuzzy Hash: 1301C476405309BBCB215BA9DC05BEE7A69FF81330F104219F925D22D1EB71990196A1

Function 00929EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

GetClientRect.USER32(?,?), ref: 00929F31
GetCursorPos.USER32(?), ref: 00929F3B
ScreenToClient.USER32(?,?), ref: 00929F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00929F7A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9c1e42d0786ef6b40a1397f480ee5ccdd321cd51489754ee8195380d2659865f
Instruction ID: f535664f3eee255dbceff041aa3d4a08070f033030f57fc89c514883e20543dd
Opcode Fuzzy Hash: 9c1e42d0786ef6b40a1397f480ee5ccdd321cd51489754ee8195380d2659865f
Instruction Fuzzy Hash: C711337290422AABDB60DFA8E9899EE77B8FF45311F000455F911E3150D334BE86DBA1

Function 0089600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0089604C
GetStockObject.GDI32(00000011), ref: 00896060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0089606A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3c32de1d6360b3bbeda2c5727e20c8255cccea8c33c6f6d4b7786b911dc35a5e
Instruction ID: 06475054b23b93f8439d38bc9ded5b8be98eb9c5b3cb40c4dc594ac5c3ab91d2
Opcode Fuzzy Hash: 3c32de1d6360b3bbeda2c5727e20c8255cccea8c33c6f6d4b7786b911dc35a5e
Instruction Fuzzy Hash: D51161B2505909BFEF225F949C94EEA7B6DFF183A4F080215FA14A2120D7329C60EB91

Function 008B3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 008B3B56

Part of subcall function 008B3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 008B3AD2
Part of subcall function 008B3AA3: ___AdjustPointer.LIBCMT ref: 008B3AED

_UnwindNestedFrames.LIBCMT ref: 008B3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 008B3B7C
CallCatchBlock.LIBVCRUNTIME ref: 008B3BA4

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: dd7f69345c1145cb169f70d04742fcbb0a6cc857663fc4095cc2161966690ea8
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: AE010C32100149BBDF126E99CC46EEB7F6DFF58764F054014FE48A6221D732E961EBA1

Function 008C3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008913C6,00000000,00000000,?,008C301A,008913C6,00000000,00000000,00000000,?,008C328B,00000006,FlsSetValue), ref: 008C30A5
GetLastError.KERNEL32(?,008C301A,008913C6,00000000,00000000,00000000,?,008C328B,00000006,FlsSetValue,00932290,FlsSetValue,00000000,00000364,?,008C2E46), ref: 008C30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008C301A,008913C6,00000000,00000000,00000000,?,008C328B,00000006,FlsSetValue,00932290,FlsSetValue,00000000), ref: 008C30BF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 70f9b874865b3d9ff79edde9898a40747d0b89a130150700597576f379fac956
Instruction ID: 29dc78262edc63637ed034c8e8f9bfa9239c889f03a68f7f2133f3e3ae7d55ac
Opcode Fuzzy Hash: 70f9b874865b3d9ff79edde9898a40747d0b89a130150700597576f379fac956
Instruction Fuzzy Hash: E501FC73315A26ABC7314B78AC44F6777A8FF45761B108628F956D3140C731D903C6D0

Function 008F7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 008F747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008F7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008F74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008F74CA

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f1c816c952e505468976bba74103811dfc5b595a72b4ad07329a020740e51061
Instruction ID: edb388fe435087a25e7e9f651e0c7f1b922b3d6a469a16ace76bcb25da837505
Opcode Fuzzy Hash: f1c816c952e505468976bba74103811dfc5b595a72b4ad07329a020740e51061
Instruction Fuzzy Hash: 58118BB1209319ABF7309F24EC09BA67BFCFB00B04F108569E616D7191D7B0E944DBA4

Function 008FB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008FACD3,?,00008000), ref: 008FB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008FACD3,?,00008000), ref: 008FB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008FACD3,?,00008000), ref: 008FB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008FACD3,?,00008000), ref: 008FB126

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f2c60a7b782ab5fc113e9abb707f0399b3ee08d45f9dddb62f9d257473ca4d45
Instruction ID: 3f76639b403c8b03467e82f74c801e107f38e7731bde82dc8ff6df25c9fc562d
Opcode Fuzzy Hash: f2c60a7b782ab5fc113e9abb707f0399b3ee08d45f9dddb62f9d257473ca4d45
Instruction Fuzzy Hash: 30117970C08A2DEBCF10AFF4E9A96FEBB78FF49311F004085DA41B2281DB3046919B61

Function 00927E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00927E33
ScreenToClient.USER32(?,?), ref: 00927E4B
ScreenToClient.USER32(?,?), ref: 00927E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00927E8A

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bb0f57c91d2b1753e0054cc685b4041333757bc10b31b2e22ec2331839ffdbd0
Instruction ID: 4ae4962cc10eee0dd1d7a32f77d67d73ae68a21955ed522b8bb01b0bf597415d
Opcode Fuzzy Hash: bb0f57c91d2b1753e0054cc685b4041333757bc10b31b2e22ec2331839ffdbd0
Instruction Fuzzy Hash: D01160B9D0420AAFDB51CF98C884AEEBBF9FF08310F108066E911E2210D734AA55DF90

Function 008F2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008F2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 008F2DD6
GetCurrentThreadId.KERNEL32 ref: 008F2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008F2DE4

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 83dd3dd6f55e1ae36fdee80db46bc1a0fb7e97533fa8de9e01eef3d28ec7a98c
Instruction ID: 87a785268d23765320b9063e35b5056cb82876f106046326ef4e952040c1003e
Opcode Fuzzy Hash: 83dd3dd6f55e1ae36fdee80db46bc1a0fb7e97533fa8de9e01eef3d28ec7a98c
Instruction Fuzzy Hash: C6E06DB111962C7BE7302B729C0EEFB7E6CFB42BA1F400215B205D10809AA48842D6F0

Function 00928863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008A9693
Part of subcall function 008A9639: SelectObject.GDI32(?,00000000), ref: 008A96A2
Part of subcall function 008A9639: BeginPath.GDI32(?), ref: 008A96B9
Part of subcall function 008A9639: SelectObject.GDI32(?,00000000), ref: 008A96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00928887
LineTo.GDI32(?,?,?), ref: 00928894
EndPath.GDI32(?), ref: 009288A4
StrokePath.GDI32(?), ref: 009288B2

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 610e930ac1e129eb4a5608cf87dc42dca45165be9538c8877888d124a3e2121e
Instruction ID: 8c8db0735fb03b45bca9111309acb2e33eb9c421d088ddf6ab4ae5483e0fde28
Opcode Fuzzy Hash: 610e930ac1e129eb4a5608cf87dc42dca45165be9538c8877888d124a3e2121e
Instruction Fuzzy Hash: B0F05E3605A668FAEF225F94BC0AFCE3F59AF06311F048000FA11A50E2C7B55522EFE5

Function 008A98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008A98CC
SetTextColor.GDI32(?,?), ref: 008A98D6
SetBkMode.GDI32(?,00000001), ref: 008A98E9
GetStockObject.GDI32(00000005), ref: 008A98F1

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 17d614107d90901e72335e0cb96e054e78f1ff6a5ca4cddd16df5d10a11ca089
Instruction ID: cc613b10b2ba7454426d4d5879d2da23f9ba84c9af7164d5a93a3698507a766e
Opcode Fuzzy Hash: 17d614107d90901e72335e0cb96e054e78f1ff6a5ca4cddd16df5d10a11ca089
Instruction Fuzzy Hash: 69E0657125C680AADB315B75AC09BED3F10FB12336F048219F6F5940E2C3714651AB11

Function 008F162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008F1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008F11D9), ref: 008F163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008F11D9), ref: 008F1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008F11D9), ref: 008F164F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b4c41071408deff3d9416af61e6acc2934f530c8444e7ede1762d5fda7be2996
Instruction ID: 45d9d1e0f13b3042dbbf4779e1874588660ee1a3d7240a26efdbe0d31aab375a
Opcode Fuzzy Hash: b4c41071408deff3d9416af61e6acc2934f530c8444e7ede1762d5fda7be2996
Instruction Fuzzy Hash: 72E086B1655211DBDB301FB09D0DB5A3B7CFF54791F144808F345DA080D6388442D754

Function 008ED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008ED858
GetDC.USER32(00000000), ref: 008ED862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008ED882
ReleaseDC.USER32(?), ref: 008ED8A3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: eb3103cd93b4075b57ee3a850edbd38abde5b2b4931f5a290020e80bf8c6cd86
Instruction ID: d1d083a760360a0b902bcd2a3f02459f12aad86d00a9109c261d778d1b5c5148
Opcode Fuzzy Hash: eb3103cd93b4075b57ee3a850edbd38abde5b2b4931f5a290020e80bf8c6cd86
Instruction Fuzzy Hash: DFE01AB1814209DFCF51AFA0D80C66DBBB1FB08710F148419F806E7250CB385902AF40

Function 008ED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008ED86C
GetDC.USER32(00000000), ref: 008ED876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008ED882
ReleaseDC.USER32(?), ref: 008ED8A3

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 75315b9e7f102a52682c9c249b48fc9222a21a04290f68dfdaae7900e117d80b
Instruction ID: 4e2351a7cd76e5f7e7912e87894e0742cf4ba641740ac6d54a06fc148bd825c9
Opcode Fuzzy Hash: 75315b9e7f102a52682c9c249b48fc9222a21a04290f68dfdaae7900e117d80b
Instruction Fuzzy Hash: E4E046B1C18209EFCF60AFA0D80C66DBBB1FF08710F148008F80AE7250CB385902AF80

Function 00904D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00897620: _wcslen.LIBCMT ref: 00897625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00904ED4

Strings

*, xrefs: 00904E10
LPT, xrefs: 00904DFB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 76184b12203a9724cc86d0f64bf28e606770f61b9623e736a0fda5552d2aa657
Instruction ID: 183ef9c6edd7a807e40c2337f49914a303ca38fe1b03c4fac9d790e340152397
Opcode Fuzzy Hash: 76184b12203a9724cc86d0f64bf28e606770f61b9623e736a0fda5552d2aa657
Instruction Fuzzy Hash: 009151B5A042059FCB14DF58C484EAABBF5FF44304F198099E60A9F3A2D735ED85CB91

Function 008BE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008BE30D

Strings

pow, xrefs: 008BE2E5, 008BE302

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c726548844aef3ce719b6865fd9411d52276f7a285e14f39cf8f14852e957594
Instruction ID: 20fa2c59e782c4ba88b6bda300176c5591e2a39a43cb647f16fe087a964c32b4
Opcode Fuzzy Hash: c726548844aef3ce719b6865fd9411d52276f7a285e14f39cf8f14852e957594
Instruction Fuzzy Hash: 9F515B61A1C6069ADB117718C941BFA2BF4FB40B40F34896CF096C23ADDB35CC959E86

Function 008AE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 008AE1B1

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 97dccae56cb8ee8da10713373f8c5abe5e5b9a90e185ffa66c0fad642bf68bea
Instruction ID: f8ef2165b607d9e03b634b0d2b661fe02970c1cecece70b989dd2e5764a190c4
Opcode Fuzzy Hash: 97dccae56cb8ee8da10713373f8c5abe5e5b9a90e185ffa66c0fad642bf68bea
Instruction Fuzzy Hash: 2451127550429ADFEF25EF29C881ABA7BA8FF57310F244459FC91DB280D6309D42CB91

Function 008AF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 008AF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 008AF2BB

Strings

@, xrefs: 008AF2AF

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 396f1206c0c46b536047595e3d402307e9cf826c3e9a3e76436dec83b30b7549
Instruction ID: ce6f411bf9a209eaf79de95eb4acaef18f4010aae72db4202a84a3f047b74edf
Opcode Fuzzy Hash: 396f1206c0c46b536047595e3d402307e9cf826c3e9a3e76436dec83b30b7549
Instruction Fuzzy Hash: 3F51677241C7449BD720AF14D886BAFBBF8FB85300F85884CF29981195EB718569CB67

Function 00915745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009157E0
_wcslen.LIBCMT ref: 009157EC

Strings

CALLARGARRAY, xrefs: 009157E6, 009157EB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 101ac242c2c44777a0d939033b51b05b8906464ffd37d8c7b36bd34d66332323
Instruction ID: d602f0fcccb00ac9e8b770eb5f7f8abfaa145aeaeffce3a017b3d67ec40abfbe
Opcode Fuzzy Hash: 101ac242c2c44777a0d939033b51b05b8906464ffd37d8c7b36bd34d66332323
Instruction Fuzzy Hash: 11417D71A00209DFCB14DFA9C8829EEBBB9FF99314F164169E505A72A1E7309D81CB91

Function 0090D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0090D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0090D13A

Strings

|, xrefs: 0090D10B

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 9ad3ba355ab9312cd5846891ae46684a41b1536d3762e4f6a43cfd7d9d8c631f
Instruction ID: 33c5594afe47378fce896c339df466befb8283bcf9c6d739f19472c644142d64
Opcode Fuzzy Hash: 9ad3ba355ab9312cd5846891ae46684a41b1536d3762e4f6a43cfd7d9d8c631f
Instruction Fuzzy Hash: 17311971D01219AFCF15EFE8CC85AEE7FB9FF04340F140019E815A6262EB31AA16DB51

Function 0092356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00923621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0092365C

Strings

static, xrefs: 009235BC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 884b6018a0eaf188b63333564dcf2242d194ba24d56c20d5efa6f6dfaf6d507b
Instruction ID: 3c6e0496939df917bd1463b9a8175ae3deff56ea1caa8e0628f72e13914536a2
Opcode Fuzzy Hash: 884b6018a0eaf188b63333564dcf2242d194ba24d56c20d5efa6f6dfaf6d507b
Instruction Fuzzy Hash: DD318F71110614AADB209F28EC81FBB73ADFF88724F108619F8A9D7280DA35AD91D760

Function 00924537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0092461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00924634

Strings

', xrefs: 0092458E

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 85003bc60696edba0970cb855c5c5e9ad547417e6ac508106c4823099a3b4894
Instruction ID: e32b0d08dea804f7eb8f3b34eab4c4846ea30159e321d09be7f1e0b9f970ee41
Opcode Fuzzy Hash: 85003bc60696edba0970cb855c5c5e9ad547417e6ac508106c4823099a3b4894
Instruction Fuzzy Hash: 27314A74A0131A9FDF14CFA9D980BDA7BB9FF09300F14406AE904AB345D770A941CF90

Function 009231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0092327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00923287

Strings

Combobox, xrefs: 00923249

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 704d12aeadd0c078f551213144304156f8361c93d16cc908382c4e09f63dbab1
Instruction ID: 35abfb027a21a278ef5ba2c6b02abe55fadc2ab6f0e35d08433aa45c0a44dfb0
Opcode Fuzzy Hash: 704d12aeadd0c078f551213144304156f8361c93d16cc908382c4e09f63dbab1
Instruction Fuzzy Hash: 1E110471300218BFFF21DF94EC80EBB3B6EEB94364F108128F928A7294D6359D519760

Function 00923710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0089600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0089604C
Part of subcall function 0089600E: GetStockObject.GDI32(00000011), ref: 00896060
Part of subcall function 0089600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0089606A

GetWindowRect.USER32(00000000,?), ref: 0092377A
GetSysColor.USER32(00000012), ref: 00923794

Strings

static, xrefs: 00923757

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 57c62ec37b555fbefad97a555071acb8a64534806048a27fbdd303d71bbcddae
Instruction ID: e8a8300af1ff272f92cac695c1f4f4a7ba32b3b5dfdfc89effc6ef16af06e803
Opcode Fuzzy Hash: 57c62ec37b555fbefad97a555071acb8a64534806048a27fbdd303d71bbcddae
Instruction Fuzzy Hash: 821129B261021AAFDF10DFA8DC45EEE7BB8FB08314F004914F955E2250E775E861DB50

Function 0090CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0090CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0090CDA6

Strings

<local>, xrefs: 0090CD66

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: adb4467dd1f1cba49eb94e30712fa94470f1783abf24033a408e28cca90877e7
Instruction ID: bc4460c4de04dc3bc633fafda91496d0f483812ac28c95858cbd0b6cb006e0be
Opcode Fuzzy Hash: adb4467dd1f1cba49eb94e30712fa94470f1783abf24033a408e28cca90877e7
Instruction Fuzzy Hash: 3B11A0B1215631BED7384B668C49EE7BEACEF127A4F00472AB109930C0E6649885D6F0

Function 00923429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009234AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009234BA

Strings

edit, xrefs: 0092348F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: feef85c44b3273d9faaf5d60dff90b1da49dc7881dbb9ac882c65b466c205cc3
Instruction ID: 5551a2ec559fce5342beab7cb2083a9c3832fa0b8cab1437240054476d5b39d7
Opcode Fuzzy Hash: feef85c44b3273d9faaf5d60dff90b1da49dc7881dbb9ac882c65b466c205cc3
Instruction Fuzzy Hash: 7211B271110118ABEB116F64EC40AAB376EEB04374F508754F961931E8C779DC519B50

Function 008F6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

CharUpperBuffW.USER32(?,?,?), ref: 008F6CB6
_wcslen.LIBCMT ref: 008F6CC2

Strings

STOP, xrefs: 008F6CBC, 008F6CC1

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: c775227b405f7c1e56afca3c9a7c6a2994927e3312464c6333682fe6ed635c95
Instruction ID: b889a45e179380783792d39e0dd16872db8edb0861e8ac35aaa2f06abe476c0a
Opcode Fuzzy Hash: c775227b405f7c1e56afca3c9a7c6a2994927e3312464c6333682fe6ed635c95
Instruction Fuzzy Hash: 3C01C432A1052E9ACB20AFBDDC819BF77B5FB617147110628E9A2D6195FA32D920C650

Function 008F1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008F1D4C

Strings

ListBox, xrefs: 008F1D16
ComboBox, xrefs: 008F1CEB

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 35431c7f3c0d3f3ec9d9c8e603b31364b4fabc731a6214101600162ff7677709
Instruction ID: 0a7232112114af1511888f2b58acdf2c4166093011fd0cc40a439492bbe7d734
Opcode Fuzzy Hash: 35431c7f3c0d3f3ec9d9c8e603b31364b4fabc731a6214101600162ff7677709
Instruction Fuzzy Hash: EA019E7160121CAB8F18FBB9CC698FE73A8FB46354B04061EF962A72D1EA3159088661

Function 008F1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 008F1C46

Strings

ListBox, xrefs: 008F1C10
ComboBox, xrefs: 008F1BE5

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 01aec8b75e8d8c6e306912170e59bb474f8d2614d2c9829cbc4c0db504ba23eb
Instruction ID: abacfa5fe9ed7903835757bdf3ed4032d8a35a9b5d64eb5501945c5438419398
Opcode Fuzzy Hash: 01aec8b75e8d8c6e306912170e59bb474f8d2614d2c9829cbc4c0db504ba23eb
Instruction Fuzzy Hash: A501847568110CA6CF14FBA9C9659FF77A8FB61344F140019EA56F7282EA209B08D6B2

Function 008F1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 008F1CC8

Strings

ListBox, xrefs: 008F1C94
ComboBox, xrefs: 008F1C69

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4a446b29b8aa5ae001f866b66e001c88d7215ce3cd707451f553d78ea8ca90ee
Instruction ID: c70b375d115e2d6a206ae9350af5aac3e2ee7cc38ae6c14e0ea95ddc90a7a618
Opcode Fuzzy Hash: 4a446b29b8aa5ae001f866b66e001c88d7215ce3cd707451f553d78ea8ca90ee
Instruction Fuzzy Hash: 8C01DB71A4011CA7CF14FBB9CE15AFE77A8FB11344F140019B952F3281EA219F08C672

Function 008F1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 008F1DD3

Strings

ListBox, xrefs: 008F1DA0
ComboBox, xrefs: 008F1D75

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c094a9082f924796f96d13966fe442360c8bf41040437831a0f607f8288af5ca
Instruction ID: 6e27e3044c3c43a1efd4ed41200dee472fb466408b8f271f0c69d6a45b6827a2
Opcode Fuzzy Hash: c094a9082f924796f96d13966fe442360c8bf41040437831a0f607f8288af5ca
Instruction Fuzzy Hash: 10F0A471A4121DA6DF14FBBDCC66AFE77B8FB41354F080919F962E32C2DA605A088261

Function 0091747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00917493
_wcslen.LIBCMT ref: 009174B9

Strings

3, 3, 16, 1, xrefs: 00917483

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 51bdc0981eba0067d64e8bba9b0b7e7dadd657812850740f46de180f2bf04455
Instruction ID: 9ccb18a867a110d3cd584ac7405d563808b1caca59a5b7e87f4cefea30b0b062
Opcode Fuzzy Hash: 51bdc0981eba0067d64e8bba9b0b7e7dadd657812850740f46de180f2bf04455
Instruction Fuzzy Hash: 63E0931571521110533112BEACC25FFDA9EDFC57517141417F945C23B7D6548DD193A1

Function 008F0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008F0B23

Strings

Error allocating memory., xrefs: 008F0B1C
AutoIt, xrefs: 008F0B17

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 9b593980b8d1abdd9d6e1106e0bbc957cf8962f7eb4db1168596300f09734c9d
Instruction ID: 79d1b34979f8825693da7cd9c45fdfcd54ad2b71bbd0195dc54c43491d67ceb8
Opcode Fuzzy Hash: 9b593980b8d1abdd9d6e1106e0bbc957cf8962f7eb4db1168596300f09734c9d
Instruction Fuzzy Hash: 75E0D8712443183AD22437987C03F8D7AC4EF05B65F100426FB88D55C38AE164A006EB

Function 008B0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008AF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008B0D71,?,?,?,0089100A), ref: 008AF7CE

IsDebuggerPresent.KERNEL32(?,?,?,0089100A), ref: 008B0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0089100A), ref: 008B0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008B0D7F

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: e98187f232b8467cc365c7cd1f765f001b969a9d1dd04f8f425674ef77066a75
Instruction ID: d646998588b46130a2f3afb4fecbde7ce1920fd40d686c662604a90993414a1c
Opcode Fuzzy Hash: e98187f232b8467cc365c7cd1f765f001b969a9d1dd04f8f425674ef77066a75
Instruction Fuzzy Hash: 46E039B02007518BD7309FA8E4087867BE0FB00744F084A2DE492C6796DBB0E4499F91

Function 00903017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0090302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00903044

Strings

aut, xrefs: 00903038

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d4012091efd5484bd595383e65a2380cf9f2718dcfc6d7b6bf61e24a1f63977f
Instruction ID: 0394b88951df0064eaec9f4940d163594cc46867615844116412a8ab2b47e187
Opcode Fuzzy Hash: d4012091efd5484bd595383e65a2380cf9f2718dcfc6d7b6bf61e24a1f63977f
Instruction Fuzzy Hash: 90D05EB2500328B7DA30A7A5AC0EFCB3A6CDB04751F4002A1BA65E2095DEB0D989CBD0

Function 008ED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008ED220

Strings

%.3d, xrefs: 008ED22B
X64, xrefs: 008ED2A8

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 29b5fccc01c1ac0aa2f55ecaf9d58f9d2ce7bc6c0da12847850a498f3443ee6f
Instruction ID: ff8db162e1a5e97f2d19b51c8341910749e4975a4092f31511a82fa09e5cd8f8
Opcode Fuzzy Hash: 29b5fccc01c1ac0aa2f55ecaf9d58f9d2ce7bc6c0da12847850a498f3443ee6f
Instruction Fuzzy Hash: 92D012A180834CE9CB5096E2DC458B9B37CFB0A345F508452FE16E1041D634E50D6761

Function 00922322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0092232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0092233F

Part of subcall function 008FE97B: Sleep.KERNEL32 ref: 008FE9F3

Strings

Shell_TrayWnd, xrefs: 00922325

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 82322f1408afeb82d1c8fb161d120173cc8cda0002a7367d1852b9836bcaf9e0
Instruction ID: fc6f4ea7844e00c6cff70682b6c522e98cc019e8476d8e7ef0982aac0d4d25bf
Opcode Fuzzy Hash: 82322f1408afeb82d1c8fb161d120173cc8cda0002a7367d1852b9836bcaf9e0
Instruction Fuzzy Hash: 79D0A9723A8300B6E274A730AC0FFCA6A04AB00B00F000A06B705AA0E0C8F0A8028A10

Function 00922356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0092236C
PostMessageW.USER32(00000000), ref: 00922373

Part of subcall function 008FE97B: Sleep.KERNEL32 ref: 008FE9F3

Strings

Shell_TrayWnd, xrefs: 00922365

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d899c4ceed68254f761c66023bfdba019560ae0b347000d421f9f6efded274e5
Instruction ID: 513052c7c9e4d86b2dcba99e51c63b9c590a32d61a2473f2823d5ebfbd0ef576
Opcode Fuzzy Hash: d899c4ceed68254f761c66023bfdba019560ae0b347000d421f9f6efded274e5
Instruction Fuzzy Hash: D0D0A972398300BAE274A730AC0FFCA6A04AB04B00F000A06B701EA0E0C8F0A8028A14

Function 008CBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 008CBE93
GetLastError.KERNEL32 ref: 008CBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008CBEFC

Memory Dump Source

Source File: 00000000.00000002.1793782792.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.1793728772.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793883867.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794348470.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794381448.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 592420267e7f047f2d6918299a6d4389c1436ca798cf8bcf1322cb577a9e8e7a
Instruction ID: e805b988fc35f49ccc34fe6ef4027bca71bf8c7ff91eadd3fe229f692f2db99d
Opcode Fuzzy Hash: 592420267e7f047f2d6918299a6d4389c1436ca798cf8bcf1322cb577a9e8e7a
Instruction Fuzzy Hash: 7141CF34614A16ABDB218FA8CC46FAA7BB4FF41720F14416DF959DB2A1DB30CC01DB61

Analysis Process: firefox.exePID: 7424, Parent PID: 2932COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000021CE356BB77 Relevance: 8.3, APIs: 1, Instructions: 6848nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000021CE356BB9C

Memory Dump Source

Source File: 00000010.00000002.2996783002.0000021CE3569000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE3569000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_21ce3569000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 7d855dfef058891d6d0f13281f0639ac0c732643bbd828a8aceaae6a46d64bc4
Instruction ID: 0cade0f30b6215331815c0bdaf411515279c9803c03ead754d9aa2032425d1a3
Opcode Fuzzy Hash: 7d855dfef058891d6d0f13281f0639ac0c732643bbd828a8aceaae6a46d64bc4
Instruction Fuzzy Hash: 6DA3D131754A488BEB2DDF28DC896EA77E5FB95300F14522ED94BC7251DF30FA428A81

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49764
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49817

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1807267694.00000200FF161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1807267694.00000200FF161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1969882033.00000200FF118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1936879093.000002008A93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927899088.000002008A938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932404069.000002008A94E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1936879093.000002008A93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927899088.000002008A938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932404069.000002008A94E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1936358195.000002008A9E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1952194605.000002008A9E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926972886.000002008A9E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1936879093.000002008A93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927899088.000002008A938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932404069.000002008A94E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1936879093.000002008A93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927899088.000002008A938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932404069.000002008A94E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2998141850.0000021CE360A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2998237493.0000014E9890C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2998141850.0000021CE360A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2998237493.0000014E9890C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2998141850.0000021CE360A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2998237493.0000014E9890C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1980956594.0000020084BC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1934322535.00000200864C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: r"><div class="logo-and-wordmark"><div class="logo"></div><div class="wordmark"></div></div><div class="search-inner-wrapper"><button class="search-handoff-button" data-l10n-id="newtab-search-box-handoff-input" data-l10n-args="{"engine": "Google"}" tabindex="-1"><div class="fake-textbox" data-l10n-id="newtab-search-box-handoff-text" data-l10n-args="{"engine": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/facebook-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Facebook<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Facebook"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.wikipedia.org/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="W"><div class="top-site-icon rich-icon" style="background-image:url(chrome://a
Source: firefox.exe, 0000000D.00000003.1934322535.00000200864C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: r"><div class="logo-and-wordmark"><div class="logo"></div><div class="wordmark"></div></div><div class="search-inner-wrapper"><button class="search-handoff-button" data-l10n-id="newtab-search-box-handoff-input" data-l10n-args="{"engine": "Google"}" tabindex="-1"><div class="fake-textbox" data-l10n-id="newtab-search-box-handoff-text" data-l10n-args="{"engine": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/facebook-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Facebook<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Facebook"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.wikipedia.org/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="W"><div class="top-site-icon rich-icon" style="background-image:url(chrome://a
Source: firefox.exe, 0000000D.00000003.1954591028.0000020086361000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980784066.0000020084CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936358195.000002008A9E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1860228933.0000020082033000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1852774427.0000020082036000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1857316835.0000020082033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comLMEM( equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1980784066.0000020084CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964099511.0000020084CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1852774427.0000020082036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1852774427.0000020082036000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851687968.0000020082033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com-X equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1936358195.000002008A9E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1952194605.000002008A9E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926972886.000002008A9E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49858 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b405b65b-7772-40c7-a964-f272747e0b9c.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b405b65b-7772-40c7-a964-f272747e0b9c.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre