Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561485
MD5:	143c4039d125e72ce6d0ce771f89c518
SHA1:	ad5f6bdad7301b371a623b024c2444b9d4ef7495
SHA256:	dc7b10f48766a87a2b7e0a4cfe2f61e8c0c1eb456cbef0e9012c4010aecd15ad
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 143C4039D125E72CE6D0CE771F89C518)

taskkill.exe (PID: 5452 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5468 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 576 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6768 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3128 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6188 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1012 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 320 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7228 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6f95c23-1e74-49b4-8ec9-6b62661cfb42} 320 "\\.\pipe\gecko-crash-server-pipe.320" 23719b6e510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7852 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20230927232528 -prefsHandle 3388 -prefMapHandle 4088 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ed2f00-3814-45b3-bad1-9010739314d0} 320 "\\.\pipe\gecko-crash-server-pipe.320" 2372c129810 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3116 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4940 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4936 -prefMapHandle 4932 -prefsLen 33008 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a20eec45-8e8b-43c7-9f8f-038c690464c0} 320 "\\.\pipe\gecko-crash-server-pipe.320" 2372b388910 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2098433616.0000000000D90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 6568	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0087EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0087EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0087ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0087EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0086AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00899576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00899576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2036535069.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fbdb190b-f
Source: file.exe, 00000000.00000000.2036535069.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_54d4714c-d
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ba98218f-5
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f46ee88b-0

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1D9085CB7 NtQuerySystemInformation,		17_2_000001B1D9085CB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1D90F4772 NtQuerySystemInformation,		17_2_000001B1D90F4772

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0086D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00861201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00861201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0086E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00872046	0_2_00872046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00808060	0_2_00808060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00868298	0_2_00868298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083E4FF	0_2_0083E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083676B	0_2_0083676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00894873	0_2_00894873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082CAA0	0_2_0082CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080CAF0	0_2_0080CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081CC39	0_2_0081CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00836DD9	0_2_00836DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008091C0	0_2_008091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081B119	0_2_0081B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821394	0_2_00821394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821706	0_2_00821706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082781B	0_2_0082781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008219B0	0_2_008219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00807920	0_2_00807920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081997D	0_2_0081997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00827A4A	0_2_00827A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00827CA7	0_2_00827CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821C77	0_2_00821C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00839EEE	0_2_00839EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088BE44	0_2_0088BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00821F32	0_2_00821F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1D9085CB7	17_2_000001B1D9085CB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1D90F4772	17_2_000001B1D90F4772
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1D90F4E9C	17_2_000001B1D90F4E9C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001B1D90F47B2	17_2_000001B1D90F47B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00809CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0081F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00820A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/39@74/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008737B5 GetLastError,FormatMessageW,

0_2_008737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008610BF AdjustTokenPrivileges,CloseHandle,		0_2_008610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0086D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0087648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2294045279.0000023735399000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278956447.000002373537C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2294045279.0000023735399000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278956447.000002373537C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2294045279.0000023735399000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278956447.000002373537C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2294045279.0000023735399000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278956447.000002373537C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2294045279.0000023735399000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278956447.000002373537C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2294045279.0000023735399000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278956447.000002373537C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2294045279.0000023735399000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278956447.000002373537C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2294045279.0000023735399000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278956447.000002373537C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2294045279.0000023735399000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278956447.000002373537C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6f95c23-1e74-49b4-8ec9-6b62661cfb42} 320 "\\.\pipe\gecko-crash-server-pipe.320" 23719b6e510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20230927232528 -prefsHandle 3388 -prefMapHandle 4088 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ed2f00-3814-45b3-bad1-9010739314d0} 320 "\\.\pipe\gecko-crash-server-pipe.320" 2372c129810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4940 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4936 -prefMapHandle 4932 -prefsLen 33008 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a20eec45-8e8b-43c7-9f8f-038c690464c0} 320 "\\.\pipe\gecko-crash-server-pipe.320" 2372b388910 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6f95c23-1e74-49b4-8ec9-6b62661cfb42} 320 "\\.\pipe\gecko-crash-server-pipe.320" 23719b6e510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20230927232528 -prefsHandle 3388 -prefMapHandle 4088 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ed2f00-3814-45b3-bad1-9010739314d0} 320 "\\.\pipe\gecko-crash-server-pipe.320" 2372c129810 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4940 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4936 -prefMapHandle 4932 -prefsLen 33008 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a20eec45-8e8b-43c7-9f8f-038c690464c0} 320 "\\.\pipe\gecko-crash-server-pipe.320" 2372b388910 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2131230366.0000023735C01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2190650879.0000023726EFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2131230366.0000023735C01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2190650879.0000023726EFA000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00820A76 push ecx; ret

0_2_00820A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0081F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00891C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00891C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97230

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001B1D9085CB7 rdtsc

17_2_000001B1D9085CB7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0086DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083C2A2 FindFirstFileExW,	0_2_0083C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008768EE FindFirstFileW,FindClose,	0_2_008768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0087698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0086D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0086D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00879642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00879642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0087979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00879B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00879B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00875C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00875C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Source: firefox.exe, 00000010.00000002.3916451010.0000023B21A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXLb+
Source: firefox.exe, 00000010.00000002.3916451010.0000023B21A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWLF
Source: firefox.exe, 00000010.00000002.3911284323.0000023B211BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3909347911.000001B1D87FA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3915013526.000001B1D8F80000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909947699.000001975227A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3914821769.0000019752610000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3915732275.0000023B2161D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3911284323.0000023B211BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: firefox.exe, 00000010.00000002.3916451010.0000023B21A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTJ^-
Source: firefox.exe, 00000011.00000002.3915013526.000001B1D8F80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001B1D9085CB7 rdtsc

17_2_000001B1D9085CB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087EAA2 BlockInput,

0_2_0087EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00832622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00832622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00824CE8 mov eax, dword ptr fs:[00000030h]

0_2_00824CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00860B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00860B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00832622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00832622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0082083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008209D5 SetUnhandledExceptionFilter,	0_2_008209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00820C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00820C21

Source: C:\Users\user\Desktop\file.exe

0_2_00861201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00842BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00842BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086B226 SendInput,keybd_event,

0_2_0086B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00860B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00861663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00861663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00820698 cpuid

0_2_00820698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00878195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00878195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085D27A GetUserNameW,

0_2_0085D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0083B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0083B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2098433616.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6568, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2098433616.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6568, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00881204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00881204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00881806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00881806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.174	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2245292020.000002372D418000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3911160532.000001B1D8AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3911591786.00000197525C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2142579840.0000023735BCA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2102188675.0000023731B30000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3912558302.0000023B215CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3911160532.000001B1D8AE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3915218907.0000019752804000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3911160532.000001B1D8A86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3911591786.000001975258F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2295280240.0000023731EE2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2271669930.0000023735B5B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2253474745.00000237353AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2232500094.00000237353AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2290868508.00000237279C3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2248378646.000002372C508000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080923836.0000023729E38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081325004.0000023729E8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081206707.0000023729E6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081054707.0000023729E53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080660627.0000023729C00000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2289121889.000002372A7BA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2294203535.000002373537C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278956447.000002373537C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2230437271.0000023731A92000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2274909472.000002372BEA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281868546.000002372BEA9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2247585576.000002372C552000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208998390.000002372B541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080923836.0000023729E38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081325004.0000023729E8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081206707.0000023729E6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289121889.000002372A736000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2283572627.000002372B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081054707.0000023729E53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080660627.0000023729C00000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2290868508.00000237279A2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.2245735133.000002372D40C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2080803496.0000023729E1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080923836.0000023729E38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081206707.0000023729E6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081054707.0000023729E53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080660627.0000023729C00000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2298978726.000002372C924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2231370911.0000023731A41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273035418.0000023731A41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246768260.000002372C967000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2295280240.0000023731EE2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2122445955.000002372B936000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2230437271.0000023731AAB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2274909472.000002372BEA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281868546.000002372BEA9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2088714646.0000023729ADE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194957506.0000023729ADE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2247585576.000002372C52F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3911160532.000001B1D8A0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3911591786.000001975250C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2124354035.000002372BC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124155270.000002372A59F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2295760173.0000023731EB4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2253767331.00000237334BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272435362.00000237334BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294891321.00000237334F7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2272697303.0000023731C5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3911160532.000001B1D8AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3911591786.00000197525C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2297161928.00000237318BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2124354035.000002372BC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124155270.000002372A59F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.google.coyI	firefox.exe, 00000010.00000002.3912110170.0000023B214A0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2270742249.000002372B507000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2293115701.00000237356BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2290868508.000002372796B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2289121889.000002372A790000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3912558302.0000023B215CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3911160532.000001B1D8AE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3915218907.0000019752804000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3912558302.0000023B215CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3911160532.000001B1D8AE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3915218907.0000019752804000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2274909472.000002372BEA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281868546.000002372BEA9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.3911591786.000001975250C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3914496242.0000019752600000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2247103494.000002372C8D0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000012.00000002.3911591786.000001975258F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2230437271.0000023731A92000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2295938700.0000023731EAB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2290737263.00000237279D4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2124354035.000002372BC19000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2237152714.000002372D48F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2230338647.0000023731AEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270095185.000002372B653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291944772.0000023735B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198055178.0000023731B9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246965540.000002372C958000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289748797.000002372A26A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2123349023.000002372A5D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229147279.0000023735B80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2090858501.000002372ADDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189189187.000002372B5ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261957207.000002372A1DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2091020687.000002372A1F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280992430.000002372C1D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195413730.00000237299FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208835256.000002372B5EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326742606.0000023729E4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193778051.000002372B9BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271381692.0000023735BD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124720205.000002372ADAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2116871815.000002372B556000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2245735133.000002372D40C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://youtube.com/	firefox.exe, 0000000E.00000003.2247585576.000002372C552000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2245735133.000002372D40C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2231370911.0000023731A16000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2247103494.000002372C8A8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2247103494.000002372C8A8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2295938700.0000023731EAB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2296450364.0000023731E7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2106108426.000002372A867000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2274909472.000002372BEA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281868546.000002372BEA9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2290737263.00000237279D4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2124354035.000002372BC19000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2282162423.000002372B82D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2298942497.000002372C926000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2124354035.000002372BC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124155270.000002372A59F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2088714646.0000023729ADE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194957506.0000023729ADE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290737263.00000237279D4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2253767331.00000237334BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272435362.00000237334BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294891321.00000237334F7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2296488202.0000023731E5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241233784.0000023731CCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254241127.0000023731CCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288067888.0000023731CD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3911898053.0000023B21400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3915500346.000001B1D90A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3914935312.0000019752710000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561485
Start date and time:	2024-11-23 14:54:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/39@74/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.80.238.59, 52.12.64.98, 35.164.125.63, 172.217.17.74, 172.217.17.42, 172.217.17.78, 88.221.134.155, 88.221.134.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	decode_c4dbf387b077f2573e7bccb997d0921d62fdc422a3e72e523efa6385a324f331.exe	Get hash	malicious	PureLog Stealer	Browse	57.128.155.22
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	yakuza.sh.elf	Get hash	malicious	Mirai	Browse	56.19.239.54
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	decode_c4dbf387b077f2573e7bccb997d0921d62fdc422a3e72e523efa6385a324f331.exe	Get hash	malicious	PureLog Stealer	Browse	57.128.155.22
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	yakuza.sh.elf	Get hash	malicious	Mirai	Browse	56.19.239.54

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ea8d1c3b-35c2-4a2d-b0c9-24e5273eb81e.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176265414815971
Encrypted:	false
SSDEEP:	192:qKMX7XgcbhbVbTbfbRbObtbyEl7nYrPJA6wnSrDtTkd/SLN:qPMcNhnzFSJ4r2jnSrDhkd/SN
MD5:	08D3261526AC6A2DFE73CF9FA3179EEC
SHA1:	079B6AA6DB91FC80B3B5C7612FE51BDB3045D754
SHA-256:	ABBC8780020B2037D4D3F2B1AFA1A9041C55A0D9982E9AA25BACA42BD42D3756
SHA-512:	17DD5F70CF91F8B73068E43F0F1BAF3D9A808B1137ADD2BDCA2E40A4C096E755A420349FAD87F5DAF7322EF5108015C56816E8E718B8CD303F9771DA87590545
Malicious:	false
Preview:	{"type":"uninstall","id":"ea8d1c3b-35c2-4a2d-b0c9-24e5273eb81e","creationDate":"2024-11-23T15:29:40.063Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ea8d1c3b-35c2-4a2d-b0c9-24e5273eb81e.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176265414815971
Encrypted:	false
SSDEEP:	192:qKMX7XgcbhbVbTbfbRbObtbyEl7nYrPJA6wnSrDtTkd/SLN:qPMcNhnzFSJ4r2jnSrDhkd/SN
MD5:	08D3261526AC6A2DFE73CF9FA3179EEC
SHA1:	079B6AA6DB91FC80B3B5C7612FE51BDB3045D754
SHA-256:	ABBC8780020B2037D4D3F2B1AFA1A9041C55A0D9982E9AA25BACA42BD42D3756
SHA-512:	17DD5F70CF91F8B73068E43F0F1BAF3D9A808B1137ADD2BDCA2E40A4C096E755A420349FAD87F5DAF7322EF5108015C56816E8E718B8CD303F9771DA87590545
Malicious:	false
Preview:	{"type":"uninstall","id":"ea8d1c3b-35c2-4a2d-b0c9-24e5273eb81e","creationDate":"2024-11-23T15:29:40.063Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3KJ86XENC2UGPNFX7AU3.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.29857190481169
Encrypted:	false
SSDEEP:	48:3SdCT5UgdwKz4xdCT/6Bdw24PdCT/adwk1:3YWLk2
MD5:	D84300B4B4AFB2C5F15A13A57245B33D
SHA1:	40F81D352DEF361727822D203D0F8E193ABB9EDB
SHA-256:	A46D161CE9096F487B6D3217B6A001C8B785A0FE6465AD21AF94D79FE9DBCC60
SHA-512:	FEF9995AE6661555BC6022AC7F30AE5B9A24A97D679997E2C7B87537098E71125BED4FDD1A6D61036FA43B53E293FB2DAEEB4F312AF080F223B06E6F032B1989
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........Y.M.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IwY.n....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.n............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY.n..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............ng.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.29857190481169
Encrypted:	false
SSDEEP:	48:3SdCT5UgdwKz4xdCT/6Bdw24PdCT/adwk1:3YWLk2
MD5:	D84300B4B4AFB2C5F15A13A57245B33D
SHA1:	40F81D352DEF361727822D203D0F8E193ABB9EDB
SHA-256:	A46D161CE9096F487B6D3217B6A001C8B785A0FE6465AD21AF94D79FE9DBCC60
SHA-512:	FEF9995AE6661555BC6022AC7F30AE5B9A24A97D679997E2C7B87537098E71125BED4FDD1A6D61036FA43B53E293FB2DAEEB4F312AF080F223B06E6F032B1989
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........Y.M.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IwY.n....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.n............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY.n..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............ng.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.29857190481169
Encrypted:	false
SSDEEP:	48:3SdCT5UgdwKz4xdCT/6Bdw24PdCT/adwk1:3YWLk2
MD5:	D84300B4B4AFB2C5F15A13A57245B33D
SHA1:	40F81D352DEF361727822D203D0F8E193ABB9EDB
SHA-256:	A46D161CE9096F487B6D3217B6A001C8B785A0FE6465AD21AF94D79FE9DBCC60
SHA-512:	FEF9995AE6661555BC6022AC7F30AE5B9A24A97D679997E2C7B87537098E71125BED4FDD1A6D61036FA43B53E293FB2DAEEB4F312AF080F223B06E6F032B1989
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........Y.M.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IwY.n....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.n............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY.n..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............ng.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TEM7ML0AUJ4S12ZKWLWP.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.29857190481169
Encrypted:	false
SSDEEP:	48:3SdCT5UgdwKz4xdCT/6Bdw24PdCT/adwk1:3YWLk2
MD5:	D84300B4B4AFB2C5F15A13A57245B33D
SHA1:	40F81D352DEF361727822D203D0F8E193ABB9EDB
SHA-256:	A46D161CE9096F487B6D3217B6A001C8B785A0FE6465AD21AF94D79FE9DBCC60
SHA-512:	FEF9995AE6661555BC6022AC7F30AE5B9A24A97D679997E2C7B87537098E71125BED4FDD1A6D61036FA43B53E293FB2DAEEB4F312AF080F223B06E6F032B1989
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........Y.M.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IwY.n....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.n............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY.n..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............ng.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925795471436333
Encrypted:	false
SSDEEP:	96:8S+OVPUFRbOdwNIOdYpjvY1Q6LOXFnF8P:8S+OpU3OdwiOdkjULuFF8P
MD5:	3BB06CC0F238509A29C2521AA0AFF4E1
SHA1:	7CCEAF3D4E526DB11BEC0574AE05E3250EB85382
SHA-256:	C1971DA0DA707123EAE5E4989458F2B1D72DEF45FD520F388DE379B78B1AA92E
SHA-512:	8B40FBD5DC7DF5F9EEA21983653FAC55831E0A8A0A005EAB3AA803FBEFFE9CE51D488E6E533D28687754654CBE005B8BC3ACBA46A32C9B3A13AE6361CFCBF5D8
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925795471436333
Encrypted:	false
SSDEEP:	96:8S+OVPUFRbOdwNIOdYpjvY1Q6LOXFnF8P:8S+OpU3OdwiOdkjULuFF8P
MD5:	3BB06CC0F238509A29C2521AA0AFF4E1
SHA1:	7CCEAF3D4E526DB11BEC0574AE05E3250EB85382
SHA-256:	C1971DA0DA707123EAE5E4989458F2B1D72DEF45FD520F388DE379B78B1AA92E
SHA-512:	8B40FBD5DC7DF5F9EEA21983653FAC55831E0A8A0A005EAB3AA803FBEFFE9CE51D488E6E533D28687754654CBE005B8BC3ACBA46A32C9B3A13AE6361CFCBF5D8
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07316855482745842
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiln:DLhesh7Owd4+jip
MD5:	60A383543686A89796633355B58970CA
SHA1:	F1F152CBB8C5562E8599E2549776FE831C26AF7D
SHA-256:	F37233F22AFF6C66CA5D6D675E49410CD5E3076DD3713ACC34945526AAE5910E
SHA-512:	27A49F45C1CD0B6CB86A2860C0255A1F9C8EF6F25FC6B8F805BAD5B4D2E7FA534C2324305F6A89C5181E27171A8D0461DBA7DC1DF7137048131E6A6DEAC947F6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039545238451853294
Encrypted:	false
SSDEEP:	3:GHlhV8m+65VHBaiIdlhV8m+65VHBaI4l8a9//Ylll4llqlyllel4lt:G7V8m+SBaieV8m+SBaIoL9XIwlio
MD5:	77059F66C03896E6457CCE4420AFD7C3
SHA1:	9594EBD807EF42C71F24948E68B68F4519222AAD
SHA-256:	05411131BBF72EC1F9FDF5E0372BFDEB8696C9F92098CC9E922D69C373CB8749
SHA-512:	F62166C5DE0B5760655286AD418BD42A0DF33215C9899A6A1F3CFE830EC4BCFDF85462A9A7F314ABA32135D34DAD073383FF456B60416543C889B2D2D88546E1
Malicious:	false
Preview:	..-.........................^8...s...b.v.P....8..-.........................^8...s...b.v.P....8........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.13347080728045319
Encrypted:	false
SSDEEP:	24:KgfkYLxsZ+u7sy2zxsMlCXsMzqCFZ7pCF6C5WUCuSCCQE/HaaKCc7RCGOxsaD2jz:/MMQPF2VJCXs4qLWeJa1VyjwqOZk
MD5:	100BC79A531BC86B8C5BAE3DF7FA3789
SHA1:	FD8E546F1441CBC700806EA1D8DB6DAF212EE91C
SHA-256:	559E3E135B6F74EE4FDDB2AF0F5F35B55B29AA7B8F45B0CE15E364E2C9FAF0EE
SHA-512:	BE83EA452BA5C16F54262605E86B555FA2E96061E97591A09F5E5239BC47D0D25FFC2DFB2449AB1F663EF01DCBF738849101D67EB5D52BAA9C390947CBD975CC
Malicious:	false
Preview:	7....-...........s...b.v..v.2............s...b.vK....;..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.478103920000985
Encrypted:	false
SSDEEP:	192:znPOeRnLYbBp6MJ0aX+b6SEXKyGruNu1o5RHWNBw8drSl:jDeJJUOauuSHEww0
MD5:	C401708621CED4041A013D00FB6A9568
SHA1:	1FEC56AF4A0C14F5D5C0C9863B4C05E830C042B2
SHA-256:	0D7FEE1A6BD758FA42120E59AC19588B46A6782BB6EACE08C8D1BB8A135A56C3
SHA-512:	2CF8FA75913F8FE9232F3487E9994A5D339AE8B5D813BD964FF40402FED685764776A5F3DF2197D47488AECEDD9BCECC77DB25B591A8F5A6D18349223A49D1B5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732375750);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732375750);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732375750);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173237

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.478103920000985
Encrypted:	false
SSDEEP:	192:znPOeRnLYbBp6MJ0aX+b6SEXKyGruNu1o5RHWNBw8drSl:jDeJJUOauuSHEww0
MD5:	C401708621CED4041A013D00FB6A9568
SHA1:	1FEC56AF4A0C14F5D5C0C9863B4C05E830C042B2
SHA-256:	0D7FEE1A6BD758FA42120E59AC19588B46A6782BB6EACE08C8D1BB8A135A56C3
SHA-512:	2CF8FA75913F8FE9232F3487E9994A5D339AE8B5D813BD964FF40402FED685764776A5F3DF2197D47488AECEDD9BCECC77DB25B591A8F5A6D18349223A49D1B5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732375750);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732375750);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732375750);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173237

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	6.343925997719388
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS4ZLXnIrbN/pnxQwRcWT5sKmgby3eHVpjO+mehujJwO2c0TiVm0BtT:GUpOxBinRcoeg23erjxmTJwc3zBtT
MD5:	457F0340053B46AE5275D7AD2BA5679A
SHA1:	03A7CAE150A29D2C3751A01F9FD9DC354AAF38CF
SHA-256:	EA829420E2D30D9417A204324E3032A2A8791CFEBE0DCE35DAA9728276607B49
SHA-512:	3B428E0BA4A168595C2C5E16903D5C9046E89E53B0F9911157803D92990F5752AFBEFD79B4DAF23F63782039B78A2E31746FBD9812A441335754D8B49E005043
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{2929c878-18bf-460a-af3b-637171a80cc5}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732375754943,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P20012...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...24392,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	6.343925997719388
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS4ZLXnIrbN/pnxQwRcWT5sKmgby3eHVpjO+mehujJwO2c0TiVm0BtT:GUpOxBinRcoeg23erjxmTJwc3zBtT
MD5:	457F0340053B46AE5275D7AD2BA5679A
SHA1:	03A7CAE150A29D2C3751A01F9FD9DC354AAF38CF
SHA-256:	EA829420E2D30D9417A204324E3032A2A8791CFEBE0DCE35DAA9728276607B49
SHA-512:	3B428E0BA4A168595C2C5E16903D5C9046E89E53B0F9911157803D92990F5752AFBEFD79B4DAF23F63782039B78A2E31746FBD9812A441335754D8B49E005043
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{2929c878-18bf-460a-af3b-637171a80cc5}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732375754943,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P20012...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...24392,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	6.343925997719388
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS4ZLXnIrbN/pnxQwRcWT5sKmgby3eHVpjO+mehujJwO2c0TiVm0BtT:GUpOxBinRcoeg23erjxmTJwc3zBtT
MD5:	457F0340053B46AE5275D7AD2BA5679A
SHA1:	03A7CAE150A29D2C3751A01F9FD9DC354AAF38CF
SHA-256:	EA829420E2D30D9417A204324E3032A2A8791CFEBE0DCE35DAA9728276607B49
SHA-512:	3B428E0BA4A168595C2C5E16903D5C9046E89E53B0F9911157803D92990F5752AFBEFD79B4DAF23F63782039B78A2E31746FBD9812A441335754D8B49E005043
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{2929c878-18bf-460a-af3b-637171a80cc5}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732375754943,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P20012...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...24392,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030275421785328
Encrypted:	false
SSDEEP:	96:ycSJMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:vTEr5NX0z3DhRe
MD5:	1AE59F8339C0861534E894C5C64B9E60
SHA1:	79391E8F0F3AADDAB35AABA267275E08B50DB2B6
SHA-256:	86165B8471E34867B4CAD17A2D8BD64A126E030B21A8BFCBDE070995E419DD9B
SHA-512:	67BB212B93255732545D9E72A87D8FEF9820214EDD56E3AFD8731C394148696F238D165D7CB53D27C824BA288CE536B48D510718C40C4A3A5A29C4069949A7F7
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T15:28:55.981Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030275421785328
Encrypted:	false
SSDEEP:	96:ycSJMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:vTEr5NX0z3DhRe
MD5:	1AE59F8339C0861534E894C5C64B9E60
SHA1:	79391E8F0F3AADDAB35AABA267275E08B50DB2B6
SHA-256:	86165B8471E34867B4CAD17A2D8BD64A126E030B21A8BFCBDE070995E419DD9B
SHA-512:	67BB212B93255732545D9E72A87D8FEF9820214EDD56E3AFD8731C394148696F238D165D7CB53D27C824BA288CE536B48D510718C40C4A3A5A29C4069949A7F7
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T15:28:55.981Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.59248270219208
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'624 bytes
MD5:	143c4039d125e72ce6d0ce771f89c518
SHA1:	ad5f6bdad7301b371a623b024c2444b9d4ef7495
SHA256:	dc7b10f48766a87a2b7e0a4cfe2f61e8c0c1eb456cbef0e9012c4010aecd15ad
SHA512:	6cb458281b3da62f00af0489db4f80399af4621d690d62d6c115d0b46943ff74bf0fac405b2022d27dbf2aeeda5a1bc0e8dbf0479eb0cad0edca9a1fe981d2e5
SSDEEP:	12288:8qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarT8lx:8qDEvCTbMWu7rQYlBQcBiT6rprG8av4
TLSH:	B8159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6741D670 [Sat Nov 23 13:19:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F41ECC0A0F3h
jmp 00007F41ECC099FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F41ECC09BDDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F41ECC09BAAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F41ECC0C79Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F41ECC0C7E8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F41ECC0C7D1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa898	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa898	0xaa00	748a5124fccdddb29b954a75fd4450ad	False	0.3702435661764706	data	5.649949593605038	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1b60	data			1.0015696347031964
RT_GROUP_ICON	0xde318	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde390	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde3a4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde3b8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde3cc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde4a8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 14:55:03.864023924 CET	49710	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:03.864065886 CET	443	49710	35.190.72.216	192.168.2.5
Nov 23, 2024 14:55:03.864362955 CET	49710	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:03.869313002 CET	49710	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:03.869333029 CET	443	49710	35.190.72.216	192.168.2.5
Nov 23, 2024 14:55:04.512602091 CET	49711	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:04.512669086 CET	443	49711	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:04.514172077 CET	49711	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:04.515614033 CET	49711	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:04.515666008 CET	443	49711	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:04.679670095 CET	49712	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:04.679765940 CET	443	49712	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:04.689356089 CET	49712	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:04.691171885 CET	49712	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:04.691205978 CET	443	49712	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:05.033298016 CET	49714	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:05.033454895 CET	49715	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:05.033469915 CET	443	49715	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:05.034821987 CET	49715	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:05.036207914 CET	49715	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:05.036216021 CET	443	49715	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:05.114025116 CET	443	49710	35.190.72.216	192.168.2.5
Nov 23, 2024 14:55:05.122786045 CET	49710	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:05.134321928 CET	49710	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:05.134340048 CET	443	49710	35.190.72.216	192.168.2.5
Nov 23, 2024 14:55:05.134478092 CET	49710	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:05.134695053 CET	443	49710	35.190.72.216	192.168.2.5
Nov 23, 2024 14:55:05.134874105 CET	49710	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:05.153022051 CET	80	49714	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:05.153112888 CET	49714	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:05.153247118 CET	49714	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:05.178332090 CET	49716	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:05.178364992 CET	443	49716	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:05.178828001 CET	49716	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:05.179027081 CET	49717	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:05.179045916 CET	443	49717	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:05.179158926 CET	49717	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:05.180381060 CET	49716	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:05.180403948 CET	443	49716	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:05.180490971 CET	49717	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:05.180512905 CET	443	49717	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:05.276335955 CET	80	49714	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:05.960963011 CET	49718	443	192.168.2.5	34.160.144.191
Nov 23, 2024 14:55:05.960999012 CET	443	49718	34.160.144.191	192.168.2.5
Nov 23, 2024 14:55:05.961292028 CET	49718	443	192.168.2.5	34.160.144.191
Nov 23, 2024 14:55:05.961402893 CET	49718	443	192.168.2.5	34.160.144.191
Nov 23, 2024 14:55:05.961416006 CET	443	49718	34.160.144.191	192.168.2.5
Nov 23, 2024 14:55:06.244900942 CET	80	49714	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:06.296761990 CET	49714	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:06.320987940 CET	443	49711	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.321060896 CET	49711	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.322417974 CET	443	49711	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.322474003 CET	49711	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.322869062 CET	443	49715	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:06.322936058 CET	49715	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.327291012 CET	49711	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.327334881 CET	443	49711	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.327600002 CET	49711	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.327625990 CET	443	49711	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.327856064 CET	49711	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.329408884 CET	49715	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.329417944 CET	443	49715	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:06.329515934 CET	49715	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.329668045 CET	443	49715	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:06.329911947 CET	49720	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.329946995 CET	443	49720	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:06.329962015 CET	49715	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.330079079 CET	49720	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.331378937 CET	49720	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.331396103 CET	443	49720	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:06.456703901 CET	443	49716	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:06.456785917 CET	49716	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.461090088 CET	443	49712	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.461132050 CET	443	49712	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.461246967 CET	49712	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.462107897 CET	49716	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.462126017 CET	443	49716	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:06.462222099 CET	49716	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.462254047 CET	443	49716	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:06.462308884 CET	49716	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.462579966 CET	49721	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.462666988 CET	443	49721	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:06.462835073 CET	49721	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.463635921 CET	443	49712	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.464195967 CET	49721	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:06.464246035 CET	443	49721	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:06.464312077 CET	49712	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.468203068 CET	49712	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.468231916 CET	443	49712	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.468290091 CET	49712	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.468504906 CET	443	49712	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.468602896 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.468631983 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.468763113 CET	49712	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.468786955 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.470200062 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:06.470213890 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:06.509814978 CET	443	49717	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:06.509896040 CET	49717	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:06.512697935 CET	49717	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:06.512712002 CET	443	49717	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:06.513122082 CET	443	49717	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:06.514962912 CET	49717	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:06.515058041 CET	49717	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:06.515125036 CET	443	49717	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:06.516113043 CET	49717	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:06.516143084 CET	49717	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:06.684226990 CET	49714	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:06.804917097 CET	80	49714	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:06.805171967 CET	49714	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:07.097805977 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:07.192235947 CET	443	49718	34.160.144.191	192.168.2.5
Nov 23, 2024 14:55:07.192393064 CET	49718	443	192.168.2.5	34.160.144.191
Nov 23, 2024 14:55:07.195466995 CET	49718	443	192.168.2.5	34.160.144.191
Nov 23, 2024 14:55:07.195496082 CET	443	49718	34.160.144.191	192.168.2.5
Nov 23, 2024 14:55:07.196918964 CET	443	49718	34.160.144.191	192.168.2.5
Nov 23, 2024 14:55:07.198214054 CET	49718	443	192.168.2.5	34.160.144.191
Nov 23, 2024 14:55:07.198276997 CET	49718	443	192.168.2.5	34.160.144.191
Nov 23, 2024 14:55:07.198648930 CET	443	49718	34.160.144.191	192.168.2.5
Nov 23, 2024 14:55:07.199019909 CET	49718	443	192.168.2.5	34.160.144.191
Nov 23, 2024 14:55:07.199019909 CET	49718	443	192.168.2.5	34.160.144.191
Nov 23, 2024 14:55:07.218267918 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:07.220565081 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:07.220753908 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:07.234301090 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:07.340305090 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:07.355298042 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:07.355631113 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:07.355751991 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:07.388254881 CET	49726	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:07.388274908 CET	443	49726	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:07.391135931 CET	49726	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:07.392951012 CET	49726	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:07.392961025 CET	443	49726	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:07.412204027 CET	49727	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:07.412241936 CET	443	49727	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:07.412370920 CET	49727	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:07.412544966 CET	49727	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:07.412570000 CET	443	49727	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:07.441175938 CET	49728	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:07.441229105 CET	443	49728	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:07.441507101 CET	49728	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:07.443109989 CET	49728	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:07.443141937 CET	443	49728	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:07.475260973 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:07.648916006 CET	443	49720	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:07.649209976 CET	49720	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.699770927 CET	49729	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:07.699840069 CET	443	49729	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:07.700046062 CET	49729	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:07.701853991 CET	49729	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:07.701877117 CET	443	49729	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:07.703941107 CET	49720	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.703960896 CET	443	49720	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:07.703999996 CET	49720	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.704499960 CET	443	49720	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:07.704662085 CET	49720	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.772979975 CET	443	49721	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:07.777415037 CET	49721	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.816107988 CET	49721	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.816123009 CET	443	49721	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:07.816209078 CET	49721	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.816274881 CET	443	49721	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:07.820821047 CET	49730	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.820900917 CET	443	49730	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:07.820940018 CET	49721	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.821263075 CET	49730	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.822828054 CET	49730	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:07.822864056 CET	443	49730	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:08.164832115 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:08.165827990 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:08.166337013 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:08.166356087 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:08.171241045 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:08.171255112 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:08.171327114 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:08.171510935 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 14:55:08.186223984 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 14:55:08.353163958 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:08.426553011 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:08.488166094 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:08.539441109 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:08.675544977 CET	443	49727	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:08.675627947 CET	49727	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:08.678136110 CET	49727	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:08.678143978 CET	443	49727	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:08.678610086 CET	443	49727	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:08.680805922 CET	49727	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:08.680886984 CET	49727	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:08.680984974 CET	443	49727	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:08.681082964 CET	49727	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:08.705324888 CET	443	49728	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:08.705399036 CET	49728	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:08.712444067 CET	443	49726	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:08.712517977 CET	49726	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:08.840198994 CET	49726	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:08.840217113 CET	443	49726	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:08.840456963 CET	49726	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:08.840601921 CET	49728	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:08.840635061 CET	443	49728	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:08.840663910 CET	49728	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:08.840861082 CET	443	49728	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:08.840888023 CET	443	49726	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:08.840929031 CET	49728	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:08.840979099 CET	49726	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:08.973484993 CET	443	49729	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:08.973608971 CET	49729	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:08.978688955 CET	49729	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:08.978688955 CET	49729	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:08.978718042 CET	443	49729	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:08.978976011 CET	443	49729	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:08.979043007 CET	49729	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:09.132554054 CET	443	49730	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:09.132639885 CET	49730	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:09.136290073 CET	49730	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:09.136337996 CET	443	49730	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:09.136389017 CET	49730	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:09.136502028 CET	443	49730	34.117.188.166	192.168.2.5
Nov 23, 2024 14:55:09.136765003 CET	49730	443	192.168.2.5	34.117.188.166
Nov 23, 2024 14:55:12.826410055 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:12.945976019 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:12.975456953 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:13.011171103 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:13.011214972 CET	443	49732	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:13.011460066 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:13.013027906 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:13.013045073 CET	443	49732	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:13.095032930 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:13.141299963 CET	49733	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:13.141345024 CET	443	49733	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:13.141364098 CET	49734	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:13.141416073 CET	443	49734	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:13.141592026 CET	49733	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:13.141597033 CET	49734	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:13.141740084 CET	49733	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:13.141751051 CET	443	49733	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:13.141849041 CET	49734	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:13.141884089 CET	443	49734	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:13.143016100 CET	49735	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:13.143040895 CET	443	49735	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:13.143762112 CET	49735	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:13.145045996 CET	49735	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:13.145068884 CET	443	49735	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:13.150616884 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:13.195334911 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:13.299590111 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:13.349165916 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:14.274008989 CET	443	49732	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:14.274105072 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:14.278906107 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:14.278923035 CET	443	49732	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:14.278986931 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:14.279103994 CET	443	49732	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:14.279164076 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:14.402826071 CET	443	49733	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.405502081 CET	443	49734	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.410223007 CET	443	49735	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.411334038 CET	443	49733	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.415361881 CET	443	49734	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.419338942 CET	443	49735	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.421046019 CET	49733	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.421046972 CET	49735	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.421061993 CET	49734	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.423918009 CET	49733	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.423948050 CET	443	49733	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.424220085 CET	443	49733	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.425904989 CET	49734	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.425932884 CET	443	49734	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.426887035 CET	443	49734	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.430314064 CET	49733	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.430402994 CET	49733	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.430464029 CET	443	49733	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.430695057 CET	49734	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.430754900 CET	49734	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.431070089 CET	443	49734	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.436645985 CET	49735	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.436645985 CET	49733	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.436667919 CET	49734	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.436686993 CET	49733	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.439843893 CET	49735	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.439861059 CET	443	49735	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.439910889 CET	49735	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.440732002 CET	443	49735	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:14.452222109 CET	49734	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.452234030 CET	49733	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.452266932 CET	49735	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:14.452280045 CET	49734	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:17.675034046 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:17.794662952 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:17.801784992 CET	49741	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:17.801898956 CET	443	49741	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:17.808777094 CET	49741	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:17.809086084 CET	49741	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:17.809106112 CET	443	49741	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:17.999435902 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:18.051810026 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:18.280282974 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:18.283620119 CET	49742	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:18.283646107 CET	443	49742	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:18.288450956 CET	49742	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:18.290510893 CET	49742	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:18.290525913 CET	443	49742	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:18.400840998 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:18.501466036 CET	49743	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:18.501497984 CET	443	49743	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:18.502093077 CET	49744	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:18.502209902 CET	443	49744	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:18.504745007 CET	49743	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:18.504981995 CET	49744	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:18.605878115 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:18.653559923 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:19.074887991 CET	443	49741	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:19.074923038 CET	443	49741	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:19.075058937 CET	49741	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:19.502585888 CET	49741	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:19.502628088 CET	443	49741	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:19.502934933 CET	443	49741	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:19.504066944 CET	49743	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:19.504086018 CET	443	49743	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:19.504528046 CET	49744	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:19.504575968 CET	443	49744	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:19.507025003 CET	49741	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:19.507097960 CET	49741	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:19.507234097 CET	443	49741	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:19.507297039 CET	49741	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:19.597899914 CET	443	49742	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:19.598114014 CET	49742	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:19.602843046 CET	49742	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:19.602848053 CET	443	49742	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:19.602941990 CET	49742	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:19.603411913 CET	443	49742	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:19.603524923 CET	49742	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:20.026587963 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:20.146656990 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:20.351439953 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:20.405407906 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:20.765105963 CET	443	49743	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:20.766474962 CET	443	49744	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:20.772943974 CET	49743	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:20.779330969 CET	443	49744	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:20.781339884 CET	49744	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:20.781622887 CET	49744	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:20.783453941 CET	49744	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:20.783479929 CET	443	49744	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:20.783885002 CET	443	49744	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:20.784322977 CET	49743	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:20.784337997 CET	443	49743	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:20.784394979 CET	49743	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:20.784959078 CET	443	49743	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:20.785412073 CET	49743	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:20.786231995 CET	49744	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:20.786303043 CET	49744	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:20.786453962 CET	443	49744	34.120.208.123	192.168.2.5
Nov 23, 2024 14:55:20.786614895 CET	49744	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:55:22.018409014 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:22.137969971 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:22.344432116 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:22.348352909 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:22.395431995 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:22.469417095 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:22.674002886 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:22.727576971 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:32.316687107 CET	49778	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:32.316714048 CET	443	49778	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:32.320163012 CET	49778	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:32.320269108 CET	49778	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:32.320276976 CET	443	49778	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:32.338917971 CET	49779	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:32.338968992 CET	443	49779	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:32.339163065 CET	49779	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:32.339404106 CET	49779	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:32.339432955 CET	443	49779	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:32.346019030 CET	49780	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:32.346057892 CET	443	49780	35.190.72.216	192.168.2.5
Nov 23, 2024 14:55:32.347142935 CET	49780	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:32.348643064 CET	49780	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:32.348663092 CET	443	49780	35.190.72.216	192.168.2.5
Nov 23, 2024 14:55:32.355189085 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:32.474685907 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:32.517354965 CET	49784	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:32.517436028 CET	443	49784	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:32.517524004 CET	49784	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:32.518965960 CET	49784	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:32.518996000 CET	443	49784	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:32.565839052 CET	49785	443	192.168.2.5	151.101.65.91
Nov 23, 2024 14:55:32.565886021 CET	443	49785	151.101.65.91	192.168.2.5
Nov 23, 2024 14:55:32.569042921 CET	49785	443	192.168.2.5	151.101.65.91
Nov 23, 2024 14:55:32.569190979 CET	49785	443	192.168.2.5	151.101.65.91
Nov 23, 2024 14:55:32.569217920 CET	443	49785	151.101.65.91	192.168.2.5
Nov 23, 2024 14:55:32.678158998 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:32.706422091 CET	49788	443	192.168.2.5	35.201.103.21
Nov 23, 2024 14:55:32.706451893 CET	443	49788	35.201.103.21	192.168.2.5
Nov 23, 2024 14:55:32.706743002 CET	49788	443	192.168.2.5	35.201.103.21
Nov 23, 2024 14:55:32.708143950 CET	49788	443	192.168.2.5	35.201.103.21
Nov 23, 2024 14:55:32.708168983 CET	443	49788	35.201.103.21	192.168.2.5
Nov 23, 2024 14:55:32.806421995 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:33.595174074 CET	443	49778	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:33.595277071 CET	49778	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.598318100 CET	49778	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.598325968 CET	443	49778	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:33.598664999 CET	443	49778	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:33.600207090 CET	49778	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.600291967 CET	49778	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.600370884 CET	443	49778	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:33.600440025 CET	49778	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.604135036 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:33.667761087 CET	443	49779	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:33.667853117 CET	49779	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:33.670561075 CET	49779	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:33.670593023 CET	443	49779	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:33.671423912 CET	443	49779	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:33.672432899 CET	49779	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:33.672564983 CET	49779	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:33.672904968 CET	443	49779	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:33.672995090 CET	49789	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:33.673037052 CET	443	49789	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:33.673080921 CET	49779	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:33.673280001 CET	443	49780	35.190.72.216	192.168.2.5
Nov 23, 2024 14:55:33.673326015 CET	49789	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:33.673470974 CET	49789	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:33.673480034 CET	443	49789	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:33.673590899 CET	49780	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:33.676872015 CET	49780	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:33.676903963 CET	443	49780	35.190.72.216	192.168.2.5
Nov 23, 2024 14:55:33.676949978 CET	49780	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:33.677335024 CET	443	49780	35.190.72.216	192.168.2.5
Nov 23, 2024 14:55:33.677414894 CET	49780	443	192.168.2.5	35.190.72.216
Nov 23, 2024 14:55:33.723874092 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:33.827933073 CET	443	49785	151.101.65.91	192.168.2.5
Nov 23, 2024 14:55:33.828013897 CET	49785	443	192.168.2.5	151.101.65.91
Nov 23, 2024 14:55:33.828906059 CET	443	49784	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:33.830962896 CET	49785	443	192.168.2.5	151.101.65.91
Nov 23, 2024 14:55:33.831007004 CET	443	49785	151.101.65.91	192.168.2.5
Nov 23, 2024 14:55:33.831252098 CET	443	49785	151.101.65.91	192.168.2.5
Nov 23, 2024 14:55:33.832515955 CET	49784	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:33.834465981 CET	49785	443	192.168.2.5	151.101.65.91
Nov 23, 2024 14:55:33.834559917 CET	49785	443	192.168.2.5	151.101.65.91
Nov 23, 2024 14:55:33.834613085 CET	443	49785	151.101.65.91	192.168.2.5
Nov 23, 2024 14:55:33.836615086 CET	49784	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:33.836668015 CET	443	49784	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:33.836702108 CET	49784	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:33.837080956 CET	443	49784	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:33.837558985 CET	49785	443	192.168.2.5	151.101.65.91
Nov 23, 2024 14:55:33.837575912 CET	49784	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:33.842472076 CET	49790	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.842542887 CET	443	49790	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:33.842758894 CET	49790	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.842946053 CET	49790	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.842979908 CET	443	49790	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:33.845166922 CET	49791	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.845235109 CET	443	49791	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:33.845546961 CET	49791	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.845752001 CET	49791	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.845787048 CET	443	49791	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:33.847664118 CET	49792	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.847719908 CET	443	49792	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:33.848100901 CET	49792	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.848229885 CET	49792	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:33.848269939 CET	443	49792	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:33.927877903 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:33.930713892 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:33.981890917 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:34.012887955 CET	443	49788	35.201.103.21	192.168.2.5
Nov 23, 2024 14:55:34.013044119 CET	49788	443	192.168.2.5	35.201.103.21
Nov 23, 2024 14:55:34.018548965 CET	49788	443	192.168.2.5	35.201.103.21
Nov 23, 2024 14:55:34.018574953 CET	443	49788	35.201.103.21	192.168.2.5
Nov 23, 2024 14:55:34.018623114 CET	49788	443	192.168.2.5	35.201.103.21
Nov 23, 2024 14:55:34.018712997 CET	443	49788	35.201.103.21	192.168.2.5
Nov 23, 2024 14:55:34.018886089 CET	49788	443	192.168.2.5	35.201.103.21
Nov 23, 2024 14:55:34.021212101 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:34.031073093 CET	49793	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:34.031104088 CET	443	49793	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:34.031466961 CET	49793	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:34.031600952 CET	49793	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:34.031613111 CET	443	49793	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:34.058274984 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:34.177850962 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:34.262862921 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:34.314042091 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:34.382936001 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:34.387161016 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:34.429929018 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:34.508738041 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:34.713157892 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:34.764070988 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:35.071309090 CET	443	49789	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:35.071400881 CET	49789	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:35.074320078 CET	49789	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:35.074326992 CET	443	49789	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:35.074736118 CET	443	49789	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:35.077224970 CET	49789	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:35.077322006 CET	49789	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:35.077465057 CET	443	49789	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:35.078708887 CET	49789	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:35.080774069 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:35.102215052 CET	443	49791	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.102297068 CET	49791	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.104912996 CET	49791	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.104932070 CET	443	49791	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.105257988 CET	443	49791	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.107552052 CET	49791	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.107629061 CET	49791	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.107845068 CET	443	49791	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.114882946 CET	49791	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.114882946 CET	49791	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.187824011 CET	443	49792	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.187900066 CET	49792	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.190800905 CET	49792	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.190831900 CET	443	49792	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.191858053 CET	443	49792	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.192436934 CET	443	49790	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.192524910 CET	49790	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.194806099 CET	49790	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.194817066 CET	443	49790	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.195213079 CET	443	49790	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.196485996 CET	49792	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.196755886 CET	49792	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.196970940 CET	443	49792	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.197741032 CET	49792	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.197987080 CET	49790	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.198056936 CET	49790	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.198184013 CET	443	49790	35.244.181.201	192.168.2.5
Nov 23, 2024 14:55:35.200457096 CET	49790	443	192.168.2.5	35.244.181.201
Nov 23, 2024 14:55:35.200577021 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:35.268520117 CET	443	49793	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:35.268898964 CET	49793	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:35.271760941 CET	49793	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:35.271768093 CET	443	49793	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:35.272008896 CET	443	49793	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:35.274401903 CET	49793	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:35.274455070 CET	49793	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:35.274528980 CET	443	49793	34.149.100.209	192.168.2.5
Nov 23, 2024 14:55:35.274646044 CET	49793	443	192.168.2.5	34.149.100.209
Nov 23, 2024 14:55:35.404769897 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:35.407455921 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:35.448434114 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:35.531219959 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:35.735920906 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:35.787234068 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:45.417752028 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:45.541445971 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:45.756392956 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:45.878503084 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:53.885261059 CET	49839	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:53.885318995 CET	443	49839	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:53.885471106 CET	49839	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:53.886763096 CET	49839	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:53.886796951 CET	443	49839	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:55.151801109 CET	443	49839	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:55.151905060 CET	49839	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:55.156692028 CET	49839	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:55.156711102 CET	443	49839	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:55.156788111 CET	49839	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:55.156975985 CET	443	49839	34.107.243.93	192.168.2.5
Nov 23, 2024 14:55:55.157414913 CET	49839	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:55:55.159194946 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:55.279164076 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:55.483597040 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:55.487458944 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:55.530589104 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:55:55.607558012 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:55.813209057 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:55:55.862728119 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:02.475019932 CET	49860	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:02.475037098 CET	443	49860	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:02.475416899 CET	49861	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:02.475447893 CET	443	49861	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:02.476418972 CET	49860	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:02.476632118 CET	49860	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:02.476634026 CET	49861	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:02.476644993 CET	443	49860	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:02.476778984 CET	49861	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:02.476792097 CET	443	49861	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:03.741153002 CET	443	49861	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:03.741291046 CET	49861	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.744431973 CET	49861	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.744442940 CET	443	49861	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:03.744853973 CET	443	49861	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:03.747009993 CET	49861	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.747114897 CET	49861	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.747179985 CET	443	49861	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:03.750340939 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:03.750844002 CET	49861	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.786380053 CET	443	49860	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:03.786468029 CET	49860	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.789016962 CET	49860	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.789031029 CET	443	49860	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:03.789812088 CET	443	49860	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:03.790852070 CET	49860	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.790937901 CET	49860	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.791192055 CET	443	49860	34.120.208.123	192.168.2.5
Nov 23, 2024 14:56:03.795025110 CET	49860	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.795025110 CET	49860	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:56:03.869955063 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:04.074398041 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:04.077954054 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:04.124380112 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:04.197647095 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:04.402004957 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:04.456505060 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:14.084116936 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:14.204349041 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:14.416362047 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:14.539086103 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:24.213268995 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:24.333287001 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:24.545260906 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:24.669783115 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:34.341824055 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:34.461685896 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:34.678271055 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:34.801151991 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:35.349006891 CET	49935	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:56:35.349069118 CET	443	49935	34.107.243.93	192.168.2.5
Nov 23, 2024 14:56:35.349441051 CET	49935	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:56:35.350898027 CET	49935	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:56:35.350928068 CET	443	49935	34.107.243.93	192.168.2.5
Nov 23, 2024 14:56:36.656855106 CET	443	49935	34.107.243.93	192.168.2.5
Nov 23, 2024 14:56:36.657119036 CET	49935	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:56:36.662695885 CET	49935	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:56:36.662722111 CET	443	49935	34.107.243.93	192.168.2.5
Nov 23, 2024 14:56:36.662802935 CET	49935	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:56:36.662924051 CET	443	49935	34.107.243.93	192.168.2.5
Nov 23, 2024 14:56:36.663027048 CET	49935	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:56:36.667113066 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:36.786772966 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:36.991041899 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:36.994762897 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:37.034136057 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:37.114373922 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:37.318763971 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:37.366138935 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:46.992541075 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:47.112157106 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:47.331186056 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:47.450943947 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:57.122509003 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:57.242073059 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:56:57.461096048 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:56:57.580776930 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:07.251888037 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:07.590544939 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:07.646634102 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:08.088280916 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:17.661781073 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:18.100650072 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:18.511663914 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:18.511823893 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:28.531209946 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:28.531255960 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:28.651555061 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:28.651583910 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:38.660429955 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:38.660446882 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:38.780910015 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:38.780945063 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:48.789139986 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:48.789180040 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:48.909049988 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:48.909125090 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:57.178437948 CET	50031	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:57:57.178520918 CET	443	50031	34.107.243.93	192.168.2.5
Nov 23, 2024 14:57:57.178832054 CET	50031	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:57:57.180413008 CET	50031	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:57:57.180444956 CET	443	50031	34.107.243.93	192.168.2.5
Nov 23, 2024 14:57:58.444459915 CET	443	50031	34.107.243.93	192.168.2.5
Nov 23, 2024 14:57:58.444544077 CET	50031	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:57:58.450484037 CET	50031	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:57:58.450490952 CET	443	50031	34.107.243.93	192.168.2.5
Nov 23, 2024 14:57:58.450710058 CET	50031	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:57:58.450864077 CET	443	50031	34.107.243.93	192.168.2.5
Nov 23, 2024 14:57:58.450932026 CET	50031	443	192.168.2.5	34.107.243.93
Nov 23, 2024 14:57:58.453994036 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:58.573617935 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:58.778130054 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:58.783209085 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:58.833048105 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:57:58.902863026 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:59.107547998 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:57:59.149521112 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:04.369041920 CET	50032	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:04.369086981 CET	443	50032	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:04.369179964 CET	50033	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:04.369251966 CET	443	50033	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:04.369282007 CET	50034	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:04.369290113 CET	443	50034	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:04.369623899 CET	50032	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:04.369677067 CET	50034	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:04.369684935 CET	50033	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:04.369791031 CET	50032	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:04.369801998 CET	443	50032	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:04.369919062 CET	50034	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:04.369931936 CET	443	50034	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:04.370014906 CET	50033	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:04.370050907 CET	443	50033	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.632592916 CET	443	50033	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.632688999 CET	50033	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.635963917 CET	50033	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.635978937 CET	443	50033	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.636393070 CET	443	50033	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.636528969 CET	443	50034	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.636610031 CET	50034	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.638926983 CET	50034	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.638936043 CET	443	50034	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.639779091 CET	443	50034	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.641330004 CET	50033	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.641478062 CET	50033	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.641537905 CET	443	50033	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.642203093 CET	50034	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.642282963 CET	50034	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.642559052 CET	443	50034	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.642869949 CET	50033	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.642884016 CET	50034	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.644501925 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:05.683136940 CET	443	50032	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.683219910 CET	50032	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.686230898 CET	50032	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.686237097 CET	443	50032	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.686701059 CET	443	50032	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.688266993 CET	50032	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.688307047 CET	50032	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.688438892 CET	443	50032	34.120.208.123	192.168.2.5
Nov 23, 2024 14:58:05.688918114 CET	50032	443	192.168.2.5	34.120.208.123
Nov 23, 2024 14:58:05.764956951 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 14:58:05.765032053 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:05.885077000 CET	50035	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:06.004667997 CET	80	50035	34.107.221.82	192.168.2.5
Nov 23, 2024 14:58:06.004775047 CET	50035	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:06.004885912 CET	50035	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:06.124403954 CET	80	50035	34.107.221.82	192.168.2.5
Nov 23, 2024 14:58:07.188081980 CET	80	50035	34.107.221.82	192.168.2.5
Nov 23, 2024 14:58:07.190798044 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:07.191371918 CET	50036	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:07.236989975 CET	50035	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:07.317464113 CET	80	49723	34.107.221.82	192.168.2.5
Nov 23, 2024 14:58:07.317559958 CET	80	50036	34.107.221.82	192.168.2.5
Nov 23, 2024 14:58:07.317689896 CET	49723	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:07.317738056 CET	50036	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:07.317854881 CET	50036	80	192.168.2.5	34.107.221.82
Nov 23, 2024 14:58:07.504273891 CET	80	50036	34.107.221.82	192.168.2.5
Nov 23, 2024 14:58:08.403019905 CET	80	50036	34.107.221.82	192.168.2.5
Nov 23, 2024 14:58:08.462582111 CET	50036	80	192.168.2.5	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 14:55:03.864247084 CET	62246	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:04.002528906 CET	53	62246	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:04.005542040 CET	61620	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:04.263417959 CET	53	61620	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:04.370160103 CET	63783	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:04.370160103 CET	53773	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:04.511728048 CET	53	63783	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:04.513230085 CET	61969	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:04.516396046 CET	57136	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:04.654076099 CET	53	61969	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:04.654623032 CET	60069	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:04.654623032 CET	54675	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:04.795382977 CET	53	54675	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:04.796427011 CET	52883	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:04.833152056 CET	57700	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:04.879705906 CET	53	60069	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:04.933208942 CET	53	52883	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:04.971780062 CET	53	57700	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:05.033799887 CET	50849	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:05.039120913 CET	54257	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:05.172338963 CET	53	50849	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:05.173103094 CET	58755	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:05.177580118 CET	53	54257	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:05.178642988 CET	64694	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:05.179496050 CET	59018	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:05.197360992 CET	63777	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:05.314126015 CET	53	58755	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:05.322930098 CET	53	64694	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:05.323849916 CET	55273	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:05.326771975 CET	53	59018	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:05.339598894 CET	59338	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:05.466499090 CET	53	55273	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:05.485483885 CET	53	59338	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:05.959753990 CET	53	63777	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:05.961189985 CET	51844	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:06.077862024 CET	62457	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:06.104769945 CET	53	51844	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:06.111999989 CET	53946	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:06.256628990 CET	53	53946	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:06.279608011 CET	62414	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:06.281023979 CET	56295	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:06.416716099 CET	53	62414	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:06.418622971 CET	53	56295	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:06.605566978 CET	63002	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:06.794857979 CET	53	62643	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:07.245282888 CET	62783	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:07.298152924 CET	61549	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:07.383548021 CET	53	62783	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:07.386219025 CET	53270	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:07.388531923 CET	57170	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:07.437657118 CET	53	61549	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:07.441530943 CET	56332	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:07.524777889 CET	53	53270	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:07.525542021 CET	54042	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:07.526607990 CET	53	57170	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:07.527290106 CET	63596	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:07.579309940 CET	53	56332	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:07.582231045 CET	51319	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:07.666122913 CET	53	63596	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:07.672647953 CET	53	54042	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:07.719675064 CET	53	51319	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:12.824582100 CET	56345	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:12.962085009 CET	53	56345	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:12.964525938 CET	61487	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:12.980427980 CET	59447	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:13.104543924 CET	53	61487	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:13.120573044 CET	53	59447	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:13.140652895 CET	56054	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:13.279407978 CET	53	56054	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:17.657254934 CET	60716	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:17.657533884 CET	52718	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:17.665983915 CET	51711	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:17.795555115 CET	53	60716	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:17.795689106 CET	53	52718	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:17.797976017 CET	56271	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:17.798841000 CET	50121	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:17.805425882 CET	53	51711	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:17.939316034 CET	53	56271	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:17.939742088 CET	53	50121	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:17.940886974 CET	64085	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:17.941139936 CET	51057	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:18.078157902 CET	53	64085	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:18.079090118 CET	53	51057	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:18.279594898 CET	55532	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:18.279628038 CET	59724	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:18.280118942 CET	54223	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:18.418318987 CET	53	54223	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:18.418925047 CET	53	59724	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:18.420244932 CET	52955	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:18.420485020 CET	55781	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:18.425256968 CET	53	55532	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:18.426090956 CET	57996	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:18.558613062 CET	53	52955	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:18.564189911 CET	53	57996	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:18.571382999 CET	51911	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:18.674290895 CET	53	55781	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:18.683954000 CET	56361	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:18.709446907 CET	53	51911	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:18.824429035 CET	53	56361	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:19.501647949 CET	55093	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:19.502285957 CET	58762	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:19.640197039 CET	53	55093	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:19.640255928 CET	53	58762	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:32.282677889 CET	57082	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:32.324265957 CET	63321	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:32.338334084 CET	52231	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:32.378168106 CET	57647	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:32.464421034 CET	53	63321	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:32.516297102 CET	53	57082	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:32.518069029 CET	51355	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:32.564686060 CET	53	52231	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:32.566112995 CET	64901	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:32.694123030 CET	53	51355	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:32.701492071 CET	53	57647	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:32.706114054 CET	53	64901	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:32.706569910 CET	55500	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:32.707055092 CET	57470	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:32.891494036 CET	53	55500	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:32.891961098 CET	60370	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:32.977909088 CET	53	57470	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:33.032320976 CET	53	60370	1.1.1.1	192.168.2.5
Nov 23, 2024 14:55:53.885818005 CET	52379	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:55:54.023376942 CET	53	52379	1.1.1.1	192.168.2.5
Nov 23, 2024 14:56:02.474123001 CET	56909	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:56:02.611804008 CET	53	56909	1.1.1.1	192.168.2.5
Nov 23, 2024 14:56:35.203939915 CET	64920	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:56:35.347896099 CET	53	64920	1.1.1.1	192.168.2.5
Nov 23, 2024 14:56:35.349350929 CET	60559	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:56:35.489881992 CET	53	60559	1.1.1.1	192.168.2.5
Nov 23, 2024 14:56:36.667470932 CET	54450	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:57:56.893127918 CET	59965	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:57:57.030467987 CET	53	59965	1.1.1.1	192.168.2.5
Nov 23, 2024 14:57:57.032077074 CET	64290	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:57:57.177292109 CET	53	64290	1.1.1.1	192.168.2.5
Nov 23, 2024 14:57:57.178355932 CET	54332	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:57:57.320183039 CET	53	54332	1.1.1.1	192.168.2.5
Nov 23, 2024 14:57:58.454355955 CET	57598	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:58:04.369837046 CET	51703	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:58:04.515497923 CET	53	51703	1.1.1.1	192.168.2.5
Nov 23, 2024 14:58:05.644695997 CET	51740	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:58:05.836500883 CET	51740	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 14:55:03.864247084 CET	192.168.2.5	1.1.1.1	0xd569	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.005542040 CET	192.168.2.5	1.1.1.1	0x6ee7	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 14:55:04.370160103 CET	192.168.2.5	1.1.1.1	0xddcf	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.370160103 CET	192.168.2.5	1.1.1.1	0xad6e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.513230085 CET	192.168.2.5	1.1.1.1	0x30dc	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.516396046 CET	192.168.2.5	1.1.1.1	0x1e32	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.654623032 CET	192.168.2.5	1.1.1.1	0xcb09	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:04.654623032 CET	192.168.2.5	1.1.1.1	0xb2fc	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.796427011 CET	192.168.2.5	1.1.1.1	0xe054	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 14:55:04.833152056 CET	192.168.2.5	1.1.1.1	0xf0b3	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.033799887 CET	192.168.2.5	1.1.1.1	0xfe02	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.039120913 CET	192.168.2.5	1.1.1.1	0x538f	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.173103094 CET	192.168.2.5	1.1.1.1	0xb221	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:05.178642988 CET	192.168.2.5	1.1.1.1	0x1fac	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.179496050 CET	192.168.2.5	1.1.1.1	0x7e67	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.197360992 CET	192.168.2.5	1.1.1.1	0xf4f9	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.323849916 CET	192.168.2.5	1.1.1.1	0xbd4	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 14:55:05.339598894 CET	192.168.2.5	1.1.1.1	0x5b79	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 14:55:05.961189985 CET	192.168.2.5	1.1.1.1	0x4690	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:06.077862024 CET	192.168.2.5	1.1.1.1	0xf2ab	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:06.111999989 CET	192.168.2.5	1.1.1.1	0x8fdc	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 14:55:06.279608011 CET	192.168.2.5	1.1.1.1	0xa043	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:06.281023979 CET	192.168.2.5	1.1.1.1	0x13ca	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:06.605566978 CET	192.168.2.5	1.1.1.1	0xbc10	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.245282888 CET	192.168.2.5	1.1.1.1	0x6eae	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.298152924 CET	192.168.2.5	1.1.1.1	0x10a7	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.386219025 CET	192.168.2.5	1.1.1.1	0x9d8e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.388531923 CET	192.168.2.5	1.1.1.1	0x1927	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.441530943 CET	192.168.2.5	1.1.1.1	0xcaf0	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.525542021 CET	192.168.2.5	1.1.1.1	0xa655	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:07.527290106 CET	192.168.2.5	1.1.1.1	0xce0f	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:07.582231045 CET	192.168.2.5	1.1.1.1	0x2bbd	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 14:55:12.824582100 CET	192.168.2.5	1.1.1.1	0x445b	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:12.964525938 CET	192.168.2.5	1.1.1.1	0x53e6	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:12.980427980 CET	192.168.2.5	1.1.1.1	0xc5cd	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:13.140652895 CET	192.168.2.5	1.1.1.1	0x2f60	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 14:55:17.657254934 CET	192.168.2.5	1.1.1.1	0xb25b	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.657533884 CET	192.168.2.5	1.1.1.1	0x2508	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.665983915 CET	192.168.2.5	1.1.1.1	0xed6e	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.797976017 CET	192.168.2.5	1.1.1.1	0x45c4	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.798841000 CET	192.168.2.5	1.1.1.1	0xe1d1	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.940886974 CET	192.168.2.5	1.1.1.1	0xa66a	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:17.941139936 CET	192.168.2.5	1.1.1.1	0x3d0f	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:18.279594898 CET	192.168.2.5	1.1.1.1	0x9614	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.279628038 CET	192.168.2.5	1.1.1.1	0xf7cc	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.280118942 CET	192.168.2.5	1.1.1.1	0xd91b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.420244932 CET	192.168.2.5	1.1.1.1	0xf16b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.420485020 CET	192.168.2.5	1.1.1.1	0x7e9e	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.426090956 CET	192.168.2.5	1.1.1.1	0x229c	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 23, 2024 14:55:18.571382999 CET	192.168.2.5	1.1.1.1	0xdef5	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:18.683954000 CET	192.168.2.5	1.1.1.1	0x4c28	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 23, 2024 14:55:19.501647949 CET	192.168.2.5	1.1.1.1	0x1f74	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:19.502285957 CET	192.168.2.5	1.1.1.1	0x2c0a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:32.282677889 CET	192.168.2.5	1.1.1.1	0x157f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.324265957 CET	192.168.2.5	1.1.1.1	0xfbed	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 14:55:32.338334084 CET	192.168.2.5	1.1.1.1	0x227d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.378168106 CET	192.168.2.5	1.1.1.1	0x1617	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.518069029 CET	192.168.2.5	1.1.1.1	0x14fe	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:32.566112995 CET	192.168.2.5	1.1.1.1	0x4c8f	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.706569910 CET	192.168.2.5	1.1.1.1	0x77f6	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.707055092 CET	192.168.2.5	1.1.1.1	0x9cd2	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 23, 2024 14:55:32.891961098 CET	192.168.2.5	1.1.1.1	0xc734	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:55:53.885818005 CET	192.168.2.5	1.1.1.1	0xecdc	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:56:02.474123001 CET	192.168.2.5	1.1.1.1	0xe360	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:56:35.203939915 CET	192.168.2.5	1.1.1.1	0x4b20	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:56:35.349350929 CET	192.168.2.5	1.1.1.1	0xc197	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:56:36.667470932 CET	192.168.2.5	1.1.1.1	0xa9a7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:57:56.893127918 CET	192.168.2.5	1.1.1.1	0x6b55	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:57:57.032077074 CET	192.168.2.5	1.1.1.1	0x339	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:57:57.178355932 CET	192.168.2.5	1.1.1.1	0xeaf5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:57:58.454355955 CET	192.168.2.5	1.1.1.1	0xdda3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:58:04.369837046 CET	192.168.2.5	1.1.1.1	0xed5d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 14:58:05.644695997 CET	192.168.2.5	1.1.1.1	0x4450	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:58:05.836500883 CET	192.168.2.5	1.1.1.1	0x4450	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 14:55:03.861514091 CET	1.1.1.1	192.168.2.5	0x9cf1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.002528906 CET	1.1.1.1	192.168.2.5	0xd569	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.511728048 CET	1.1.1.1	192.168.2.5	0xddcf	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.511770010 CET	1.1.1.1	192.168.2.5	0xad6e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:04.511770010 CET	1.1.1.1	192.168.2.5	0xad6e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.653737068 CET	1.1.1.1	192.168.2.5	0x1e32	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:04.653737068 CET	1.1.1.1	192.168.2.5	0x1e32	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.654076099 CET	1.1.1.1	192.168.2.5	0x30dc	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.795382977 CET	1.1.1.1	192.168.2.5	0xb2fc	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:04.879705906 CET	1.1.1.1	192.168.2.5	0xcb09	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 23, 2024 14:55:04.933208942 CET	1.1.1.1	192.168.2.5	0xe054	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 14:55:04.971780062 CET	1.1.1.1	192.168.2.5	0xf0b3	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.172338963 CET	1.1.1.1	192.168.2.5	0xfe02	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.177580118 CET	1.1.1.1	192.168.2.5	0x538f	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:05.177580118 CET	1.1.1.1	192.168.2.5	0x538f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.178297997 CET	1.1.1.1	192.168.2.5	0xcc2e	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:05.178297997 CET	1.1.1.1	192.168.2.5	0xcc2e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.322930098 CET	1.1.1.1	192.168.2.5	0x1fac	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.326771975 CET	1.1.1.1	192.168.2.5	0x7e67	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:05.959753990 CET	1.1.1.1	192.168.2.5	0xf4f9	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:05.959753990 CET	1.1.1.1	192.168.2.5	0xf4f9	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:05.959753990 CET	1.1.1.1	192.168.2.5	0xf4f9	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:06.104769945 CET	1.1.1.1	192.168.2.5	0x4690	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:06.256628990 CET	1.1.1.1	192.168.2.5	0x8fdc	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 14:55:06.319466114 CET	1.1.1.1	192.168.2.5	0xf2ab	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:06.416716099 CET	1.1.1.1	192.168.2.5	0xa043	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:06.418622971 CET	1.1.1.1	192.168.2.5	0x13ca	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:06.418622971 CET	1.1.1.1	192.168.2.5	0x13ca	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.089636087 CET	1.1.1.1	192.168.2.5	0xbc10	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:07.089636087 CET	1.1.1.1	192.168.2.5	0xbc10	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.383548021 CET	1.1.1.1	192.168.2.5	0x6eae	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.384614944 CET	1.1.1.1	192.168.2.5	0x6596	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.407224894 CET	1.1.1.1	192.168.2.5	0x8e16	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:07.407224894 CET	1.1.1.1	192.168.2.5	0x8e16	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.437657118 CET	1.1.1.1	192.168.2.5	0x10a7	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:07.437657118 CET	1.1.1.1	192.168.2.5	0x10a7	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.524777889 CET	1.1.1.1	192.168.2.5	0x9d8e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.526607990 CET	1.1.1.1	192.168.2.5	0x1927	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:07.579309940 CET	1.1.1.1	192.168.2.5	0xcaf0	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:12.962085009 CET	1.1.1.1	192.168.2.5	0x445b	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:12.962085009 CET	1.1.1.1	192.168.2.5	0x445b	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:12.962085009 CET	1.1.1.1	192.168.2.5	0x445b	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:13.104543924 CET	1.1.1.1	192.168.2.5	0x53e6	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:13.118578911 CET	1.1.1.1	192.168.2.5	0xf757	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795555115 CET	1.1.1.1	192.168.2.5	0xb25b	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795555115 CET	1.1.1.1	192.168.2.5	0xb25b	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795555115 CET	1.1.1.1	192.168.2.5	0xb25b	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795555115 CET	1.1.1.1	192.168.2.5	0xb25b	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795555115 CET	1.1.1.1	192.168.2.5	0xb25b	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795555115 CET	1.1.1.1	192.168.2.5	0xb25b	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795555115 CET	1.1.1.1	192.168.2.5	0xb25b	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795555115 CET	1.1.1.1	192.168.2.5	0xb25b	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795555115 CET	1.1.1.1	192.168.2.5	0xb25b	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795555115 CET	1.1.1.1	192.168.2.5	0xb25b	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795689106 CET	1.1.1.1	192.168.2.5	0x2508	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:17.795689106 CET	1.1.1.1	192.168.2.5	0x2508	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.805425882 CET	1.1.1.1	192.168.2.5	0xed6e	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:17.805425882 CET	1.1.1.1	192.168.2.5	0xed6e	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939316034 CET	1.1.1.1	192.168.2.5	0x45c4	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939316034 CET	1.1.1.1	192.168.2.5	0x45c4	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939316034 CET	1.1.1.1	192.168.2.5	0x45c4	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939316034 CET	1.1.1.1	192.168.2.5	0x45c4	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939316034 CET	1.1.1.1	192.168.2.5	0x45c4	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939316034 CET	1.1.1.1	192.168.2.5	0x45c4	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939316034 CET	1.1.1.1	192.168.2.5	0x45c4	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939316034 CET	1.1.1.1	192.168.2.5	0x45c4	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939316034 CET	1.1.1.1	192.168.2.5	0x45c4	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939316034 CET	1.1.1.1	192.168.2.5	0x45c4	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:17.939742088 CET	1.1.1.1	192.168.2.5	0xe1d1	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.078157902 CET	1.1.1.1	192.168.2.5	0xa66a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 14:55:18.078157902 CET	1.1.1.1	192.168.2.5	0xa66a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 14:55:18.078157902 CET	1.1.1.1	192.168.2.5	0xa66a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 14:55:18.078157902 CET	1.1.1.1	192.168.2.5	0xa66a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 14:55:18.079090118 CET	1.1.1.1	192.168.2.5	0x3d0f	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 23, 2024 14:55:18.418318987 CET	1.1.1.1	192.168.2.5	0xd91b	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.418925047 CET	1.1.1.1	192.168.2.5	0xf7cc	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:18.418925047 CET	1.1.1.1	192.168.2.5	0xf7cc	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.418925047 CET	1.1.1.1	192.168.2.5	0xf7cc	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.418925047 CET	1.1.1.1	192.168.2.5	0xf7cc	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.418925047 CET	1.1.1.1	192.168.2.5	0xf7cc	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.425256968 CET	1.1.1.1	192.168.2.5	0x9614	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.558613062 CET	1.1.1.1	192.168.2.5	0xf16b	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.558613062 CET	1.1.1.1	192.168.2.5	0xf16b	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.558613062 CET	1.1.1.1	192.168.2.5	0xf16b	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.558613062 CET	1.1.1.1	192.168.2.5	0xf16b	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.564189911 CET	1.1.1.1	192.168.2.5	0x229c	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 23, 2024 14:55:18.674290895 CET	1.1.1.1	192.168.2.5	0x7e9e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.674290895 CET	1.1.1.1	192.168.2.5	0x7e9e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.674290895 CET	1.1.1.1	192.168.2.5	0x7e9e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:18.674290895 CET	1.1.1.1	192.168.2.5	0x7e9e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.516297102 CET	1.1.1.1	192.168.2.5	0x157f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.564686060 CET	1.1.1.1	192.168.2.5	0x227d	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.564686060 CET	1.1.1.1	192.168.2.5	0x227d	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.564686060 CET	1.1.1.1	192.168.2.5	0x227d	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.564686060 CET	1.1.1.1	192.168.2.5	0x227d	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.701492071 CET	1.1.1.1	192.168.2.5	0x1617	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:32.701492071 CET	1.1.1.1	192.168.2.5	0x1617	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.706114054 CET	1.1.1.1	192.168.2.5	0x4c8f	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.706114054 CET	1.1.1.1	192.168.2.5	0x4c8f	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.706114054 CET	1.1.1.1	192.168.2.5	0x4c8f	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.706114054 CET	1.1.1.1	192.168.2.5	0x4c8f	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.891494036 CET	1.1.1.1	192.168.2.5	0x77f6	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:55:32.977909088 CET	1.1.1.1	192.168.2.5	0x9cd2	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 14:55:32.977909088 CET	1.1.1.1	192.168.2.5	0x9cd2	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 14:55:32.977909088 CET	1.1.1.1	192.168.2.5	0x9cd2	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 14:55:32.977909088 CET	1.1.1.1	192.168.2.5	0x9cd2	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 14:55:35.810636044 CET	1.1.1.1	192.168.2.5	0x3249	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:55:35.810636044 CET	1.1.1.1	192.168.2.5	0x3249	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:56:02.470552921 CET	1.1.1.1	192.168.2.5	0xc44	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:56:35.347896099 CET	1.1.1.1	192.168.2.5	0x4b20	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:56:36.804996014 CET	1.1.1.1	192.168.2.5	0xa9a7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:56:36.804996014 CET	1.1.1.1	192.168.2.5	0xa9a7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:57:57.030467987 CET	1.1.1.1	192.168.2.5	0x6b55	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:57:57.177292109 CET	1.1.1.1	192.168.2.5	0x339	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:57:58.591865063 CET	1.1.1.1	192.168.2.5	0xdda3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:57:58.591865063 CET	1.1.1.1	192.168.2.5	0xdda3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:58:04.367630005 CET	1.1.1.1	192.168.2.5	0x4cac	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:58:05.884004116 CET	1.1.1.1	192.168.2.5	0x4450	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:58:05.884004116 CET	1.1.1.1	192.168.2.5	0x4450	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:58:05.974324942 CET	1.1.1.1	192.168.2.5	0x4450	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 14:58:05.974324942 CET	1.1.1.1	192.168.2.5	0x4450	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	34.107.221.82	80	320	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 14:55:05.153247118 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:55:06.244900942 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25629 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49723	34.107.221.82	80	320	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 14:55:07.220753908 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:55:08.353163958 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47450 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:55:12.826410055 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:55:13.150616884 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47454 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:55:17.675034046 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:55:17.999435902 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47459 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:55:20.026587963 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:55:20.351439953 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47462 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:55:22.348352909 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:55:22.674002886 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47464 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:55:32.678158998 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:55:33.930713892 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:55:34.262862921 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47476 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:55:34.387161016 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:55:34.713157892 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47476 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:55:35.407455921 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:55:35.735920906 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47477 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:55:45.756392956 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:55:55.487458944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:55:55.813209057 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47497 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:56:04.077954054 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:56:04.402004957 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47506 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:56:14.416362047 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:56:24.545260906 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:56:34.678271055 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:56:36.994762897 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:56:37.318763971 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47539 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 14:56:47.331186056 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:56:57.461096048 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:57:07.590544939 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:57:18.100650072 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:57:28.531255960 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:57:58.783209085 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:57:59.107547998 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47620 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49724	34.107.221.82	80	320	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 14:55:07.355751991 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:55:08.488166094 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25631 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 14:55:12.975456953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:55:13.299590111 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25636 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 14:55:18.280282974 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:55:18.605878115 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25641 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 14:55:22.018409014 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:55:22.344432116 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25645 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 14:55:32.355189085 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:55:33.604135036 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:55:33.927877903 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25656 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 14:55:34.021212101 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:55:34.382936001 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25657 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 14:55:35.080774069 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:55:35.404769897 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25658 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 14:55:45.417752028 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:55:55.159194946 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:55:55.483597040 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25678 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 14:56:03.750340939 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:56:04.074398041 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25686 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 14:56:14.084116936 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:56:24.213268995 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:56:34.341824055 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:56:36.667113066 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:56:36.991041899 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25719 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 14:56:46.992541075 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:56:57.122509003 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:57:07.251888037 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:57:17.661781073 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:57:28.531209946 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 14:57:58.453994036 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:57:58.778130054 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25801 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.5	50035	34.107.221.82	80

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 14:58:06.004885912 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 14:58:07.188081980 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 25810 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.5	50036	34.107.221.82	80

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 14:58:07.317854881 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 14:58:08.403019905 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 47630 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	08:54:57
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x800000
File size:	922'624 bytes
MD5 hash:	143C4039D125E72CE6D0CE771F89C518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2098433616.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:54:57
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x9e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:54:57
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:54:59
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x9e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:55:00
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:55:00
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x9e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:55:00
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:55:00
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x9e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:55:00
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:55:00
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x9e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:55:00
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:55:00
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:55:00
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:55:00
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	08:55:01
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6f95c23-1e74-49b4-8ec9-6b62661cfb42} 320 "\\.\pipe\gecko-crash-server-pipe.320" 23719b6e510 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	08:55:03
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20230927232528 -prefsHandle 3388 -prefMapHandle 4088 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ed2f00-3814-45b3-bad1-9010739314d0} 320 "\\.\pipe\gecko-crash-server-pipe.320" 2372c129810 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	08:55:06
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4940 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4936 -prefMapHandle 4932 -prefsLen 33008 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a20eec45-8e8b-43c7-9f8f-038c690464c0} 320 "\\.\pipe\gecko-crash-server-pipe.320" 2372b388910 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1522
Total number of Limit Nodes:	58

Executed Functions

Function 008042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0080430D

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

GetCurrentProcess.KERNEL32(?,0089CB64,00000000,?,?), ref: 00804422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00804429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00804454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00804466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00804474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0080447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008044A0

Strings

|O, xrefs: 008436F8
GetNativeSystemInfo, xrefs: 00804460
kernel32.dll, xrefs: 0080444F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: bbca0355d8f7c273a56c356c637808a1adb54821b64df1b41161735767f7c367
Instruction ID: f329c84199354af2a60285fbdb99c8b3c8eb84952a86b822589fce43d9c30b15
Opcode Fuzzy Hash: bbca0355d8f7c273a56c356c637808a1adb54821b64df1b41161735767f7c367
Instruction Fuzzy Hash: C7A1C5A190B7C4FFCF19D769BC491967FA5FF26304B085AABE081D3B62D2384508CB25

Function 008042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008050AA,?,?,00000000,00000000), ref: 008042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008050AA,?,?,00000000,00000000), ref: 008042C9
LoadResource.KERNEL32(?,00000000,?,?,008050AA,?,?,00000000,00000000,?,?,?,?,?,?,00804F20), ref: 008435BE
SizeofResource.KERNEL32(?,00000000,?,?,008050AA,?,?,00000000,00000000,?,?,?,?,?,?,00804F20), ref: 008435D3
LockResource.KERNEL32(008050AA,?,?,008050AA,?,?,00000000,00000000,?,?,?,?,?,?,00804F20,?), ref: 008435E6

Strings

SCRIPT, xrefs: 008042BF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 654b4a078150d70d248763fe40da1ffb74e28eb41c28825172f6f531ad3b9819
Instruction ID: c9af704d2635dff017b091eec1734176d7d85ec35c3431d55387d4fdb02fa784
Opcode Fuzzy Hash: 654b4a078150d70d248763fe40da1ffb74e28eb41c28825172f6f531ad3b9819
Instruction Fuzzy Hash: 1D117CB0240701BFDB219BA5DC48F277BB9FBC5B51F14416AB512D6290DBB2D8008630

Function 00842BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00802B6B

Part of subcall function 00803A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008D1418,?,00802E7F,?,?,?,00000000), ref: 00803A78

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008C2224), ref: 00842C10
ShellExecuteW.SHELL32(00000000,?,?,008C2224), ref: 00842C17

Strings

runas, xrefs: 00842C0B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 19647ff7a8d4cdfa3bc90c3a5a8f0e735ce21a6b40bbf764d8bd5cbddc1cc79a
Instruction ID: 9196b3ecaa36445f24c782043721f103306d3afc0f634998123c580b544ac370
Opcode Fuzzy Hash: 19647ff7a8d4cdfa3bc90c3a5a8f0e735ce21a6b40bbf764d8bd5cbddc1cc79a
Instruction Fuzzy Hash: FB11C331208245AACB54FF68DC56A6E77A9FF90710F44052EF182C21E3CF6185498713

Function 0086D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0086D501
Process32FirstW.KERNEL32(00000000,?), ref: 0086D50F
Process32NextW.KERNEL32(00000000,?), ref: 0086D52F
CloseHandle.KERNELBASE(00000000), ref: 0086D5DC

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e819533a6682472e42c412793e0489c824cbfbd14c8a9d8173f82bbaff558e23
Instruction ID: 15878d53fa7ba46336164891de2bec6b4d5071e54e0702c28390ac88e389058c
Opcode Fuzzy Hash: e819533a6682472e42c412793e0489c824cbfbd14c8a9d8173f82bbaff558e23
Instruction Fuzzy Hash: EE316D715083009FD304EF58CC85AABBBE8FF99354F14092DF582C62A2EB719945CBA3

Function 0086DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00845222), ref: 0086DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0086DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0086DBEE
FindClose.KERNEL32(00000000), ref: 0086DBFA

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: c6789ca95c53bec43d94937e8816003ffe08bfd47821872a93f617d577291cdc
Instruction ID: d1865f2d52c12536042ecdae446e20da388d7512629ecd88f17f6e871a805e43
Opcode Fuzzy Hash: c6789ca95c53bec43d94937e8816003ffe08bfd47821872a93f617d577291cdc
Instruction Fuzzy Hash: 8BF0A030810A1857C220BBB8AC0D8AA376CFF41334F584703F836C22E0EBB2599486D9

Function 00824CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008328E9,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002,00000000,?,008328E9), ref: 00824D09
TerminateProcess.KERNEL32(00000000,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002,00000000,?,008328E9), ref: 00824D10
ExitProcess.KERNEL32 ref: 00824D22

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6f7fec4d84d3118d402d89501b6db590fee2f2e4dd7685c3a305e9a438f9df88
Instruction ID: 3034148376c99c869a87218ae51fba2d51a89c8c322925dfb1c2c8a4230e3ec9
Opcode Fuzzy Hash: 6f7fec4d84d3118d402d89501b6db590fee2f2e4dd7685c3a305e9a438f9df88
Instruction Fuzzy Hash: A7E0B631000158AFCF11BF54EE0AA583B69FB41B81F144015FC09CB222DB36DD82DAA0

Function 0088AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0088B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0088B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0088B1D4
_wcslen.LIBCMT ref: 0088B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0088B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0088B236
_wcslen.LIBCMT ref: 0088B332

Part of subcall function 008705A7: GetStdHandle.KERNEL32(000000F6), ref: 008705C6

_wcslen.LIBCMT ref: 0088B34B
_wcslen.LIBCMT ref: 0088B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0088B3B6
GetLastError.KERNEL32(00000000), ref: 0088B407
CloseHandle.KERNEL32(?), ref: 0088B439
CloseHandle.KERNEL32(00000000), ref: 0088B44A
CloseHandle.KERNEL32(00000000), ref: 0088B45C
CloseHandle.KERNEL32(00000000), ref: 0088B46E
CloseHandle.KERNEL32(?), ref: 0088B4E3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 14a11925d51a5cf61dff08d139aee8206570a1dbb826898772cf3ae88df0119e
Instruction ID: 08c62094ad9b498b75586de95bc3612b1613181c395253b9807713f1a29b8c88
Opcode Fuzzy Hash: 14a11925d51a5cf61dff08d139aee8206570a1dbb826898772cf3ae88df0119e
Instruction Fuzzy Hash: F4F159316082409FDB14EF28C891B6ABBE5FF85314F18855DF899DB2A2DB31EC45CB52

Function 0080D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0080D807
timeGetTime.WINMM ref: 0080DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080DB28
TranslateMessage.USER32(?), ref: 0080DB7B
DispatchMessageW.USER32(?), ref: 0080DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080DB9F
Sleep.KERNELBASE(0000000A), ref: 0080DBB1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 93f08396f0fc90f46e49fe8abfbcb0effc2f57c75521ce385cfc4fb87dacaac0
Instruction ID: 494a858bb849e4e40eebacc1ebde2272fc3866ad984dff2ffad9317f40e0587e
Opcode Fuzzy Hash: 93f08396f0fc90f46e49fe8abfbcb0effc2f57c75521ce385cfc4fb87dacaac0
Instruction Fuzzy Hash: CE42EF30608345EFDB69DB68CC44BAABBE4FF46314F14865AE855C72D1DB70E848CB92

Function 00802CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00802D07
RegisterClassExW.USER32(00000030), ref: 00802D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00802D42
InitCommonControlsEx.COMCTL32(?), ref: 00802D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00802D6F
LoadIconW.USER32(000000A9), ref: 00802D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00802D94

Strings

AutoIt v3 GUI, xrefs: 00802D23
0, xrefs: 00802CE9
+, xrefs: 00802CF0
TaskbarCreated, xrefs: 00802D37

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9bee8c2309d32dc8a723a1441730b7d00e6e929c6165bfb4ce90161d07ee97f0
Instruction ID: df3db50f055d3b99cfb7b96d9ae8a5f2df3a49b760856df81af58cad61b356b1
Opcode Fuzzy Hash: 9bee8c2309d32dc8a723a1441730b7d00e6e929c6165bfb4ce90161d07ee97f0
Instruction Fuzzy Hash: 0F21B2B5902218BFDF00EFE4E859ADDBFB8FB08700F44821BE611A62A0D7B645448F91

Function 0084065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0084039A: CreateFileW.KERNELBASE(00000000,00000000,?,00840704,?,?,00000000,?,00840704,00000000,0000000C), ref: 008403B7

GetLastError.KERNEL32 ref: 0084076F
__dosmaperr.LIBCMT ref: 00840776
GetFileType.KERNELBASE(00000000), ref: 00840782
GetLastError.KERNEL32 ref: 0084078C
__dosmaperr.LIBCMT ref: 00840795
CloseHandle.KERNEL32(00000000), ref: 008407B5
CloseHandle.KERNEL32(?), ref: 008408FF
GetLastError.KERNEL32 ref: 00840931
__dosmaperr.LIBCMT ref: 00840938

Strings

H, xrefs: 008408BD

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1d9362f0844e668fc375580547bac65ee41d61c80f265b9731a64bd836cb5001
Instruction ID: 6fc4ce6580266b2c815bd44000edc5743c418e8db57cb6b33cf86b47c9c8e583
Opcode Fuzzy Hash: 1d9362f0844e668fc375580547bac65ee41d61c80f265b9731a64bd836cb5001
Instruction Fuzzy Hash: 20A10432A041188FDF19AF68D851BAE7BA0FB46324F24015AF915DB3D2DB359812CF92

Function 0080344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00803A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008D1418,?,00802E7F,?,?,?,00000000), ref: 00803A78

Part of subcall function 00803357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00803379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0080356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0084318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008431CE
RegCloseKey.ADVAPI32(?), ref: 00843210
_wcslen.LIBCMT ref: 00843277
_wcslen.LIBCMT ref: 00843286

Strings

\Include\, xrefs: 00803527
Software\AutoIt v3\AutoIt, xrefs: 00803560
Include, xrefs: 00843184, 008431C5
\, xrefs: 0084328C

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b201e94a384d3ebc4c209445d442cae6dacd953f4fa0eb28a6042d9dda0d2e88
Instruction ID: 893ee9e31a07382066c4631eb20e21af922257337beae35ede56a17b1148b438
Opcode Fuzzy Hash: b201e94a384d3ebc4c209445d442cae6dacd953f4fa0eb28a6042d9dda0d2e88
Instruction Fuzzy Hash: 36717D715053059EC708EF69EC8296BBBE8FFA5340F40062EF555C32B1EB759A48CB62

Function 00802B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00802B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00802B9D
LoadIconW.USER32(00000063), ref: 00802BB3
LoadIconW.USER32(000000A4), ref: 00802BC5
LoadIconW.USER32(000000A2), ref: 00802BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00802BEF
RegisterClassExW.USER32(?), ref: 00802C40

Part of subcall function 00802CD4: GetSysColorBrush.USER32(0000000F), ref: 00802D07
Part of subcall function 00802CD4: RegisterClassExW.USER32(00000030), ref: 00802D31
Part of subcall function 00802CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00802D42
Part of subcall function 00802CD4: InitCommonControlsEx.COMCTL32(?), ref: 00802D5F
Part of subcall function 00802CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00802D6F
Part of subcall function 00802CD4: LoadIconW.USER32(000000A9), ref: 00802D85
Part of subcall function 00802CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00802D94

Strings

0, xrefs: 00802C0F
AutoIt v3, xrefs: 00802C2F
#, xrefs: 00802C16

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f8044e34056d028948a556ce0dc0362133e23b67fe73bcdd79f30e8bb8674104
Instruction ID: f55872ac8698dee07965db42e0b70d3fe34a6d2b860c801ead410785b884de64
Opcode Fuzzy Hash: f8044e34056d028948a556ce0dc0362133e23b67fe73bcdd79f30e8bb8674104
Instruction Fuzzy Hash: 9C21F570A02318BBDF149FE9EC59AA97FB4FF48B50F44421BE604A67A0D7BA05408F90

Function 00803170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0080316A,?,?), ref: 008031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0080316A,?,?), ref: 00803204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00803227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0080316A,?,?), ref: 00803232
CreatePopupMenu.USER32 ref: 00803246
PostQuitMessage.USER32(00000000), ref: 00803267

Strings

TaskbarCreated, xrefs: 0080322D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4aac73e553e460ba11f172d02924ed5f59cab35bfb01a3df77be2b5814fb67dd
Instruction ID: 38f8e2aec67ed97606c0d76ba8f067471299283932bb78e5dbbd2d852525b570
Opcode Fuzzy Hash: 4aac73e553e460ba11f172d02924ed5f59cab35bfb01a3df77be2b5814fb67dd
Instruction Fuzzy Hash: 14412635244208BBDF556BBC9D2DB793B5DFF0A345F480227F902C62E1CB759A8097A2

Function 00801410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00801459
CoUninitialize.COMBASE ref: 008014F8
UnregisterHotKey.USER32(?), ref: 008016DD
DestroyWindow.USER32(?), ref: 008424B9
FreeLibrary.KERNEL32(?), ref: 0084251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0084254B

Strings

close all, xrefs: 00801454

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e122f0e7bea8fce5f73cfc80df8019e2094ebf8a7e25f7636db4374f678d9193
Instruction ID: b283cd2e03e50bc79f42c6d1ed1a00f4aa240776d90164d8992a03f264b907c5
Opcode Fuzzy Hash: e122f0e7bea8fce5f73cfc80df8019e2094ebf8a7e25f7636db4374f678d9193
Instruction Fuzzy Hash: 6AD19B30705212CFCB69EF18C899A29F7A4FF04714F5541ADE54AEB2A2DB31AC12CF51

Function 00802C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00802C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00802CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00801CAD,?), ref: 00802CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00801CAD,?), ref: 00802CCF

Strings

AutoIt v3, xrefs: 00802C89, 00802C8E, 00802C8F
edit, xrefs: 00802CAC

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d906b69c6e79fbe2441b948d14a1e498dac6e11923b5ea00e23d8b40d68d2189
Instruction ID: e6c95941ec7491ce14f366181bda6ae87b1ea91f1e5401d054c67e5c12176d2f
Opcode Fuzzy Hash: d906b69c6e79fbe2441b948d14a1e498dac6e11923b5ea00e23d8b40d68d2189
Instruction Fuzzy Hash: FDF0DA756412907BEF35175BAC0CE772FBDFBC6F60B04015BF904A26A0C66A1850DAB0

Function 00803B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00803B0F,SwapMouseButtons,00000004,?), ref: 00803B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00803B0F,SwapMouseButtons,00000004,?), ref: 00803B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00803B0F,SwapMouseButtons,00000004,?), ref: 00803B83

Strings

Control Panel\Mouse, xrefs: 00803B3E

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8387b6d54281ee9edf4f51090876f6d7c7c78ea482ca1ab88598e85a3e8f65fe
Instruction ID: 31d3b99abb07cd05d85d3ae7d287de5ae419290bd85404e2ef2cafef4ed5511c
Opcode Fuzzy Hash: 8387b6d54281ee9edf4f51090876f6d7c7c78ea482ca1ab88598e85a3e8f65fe
Instruction Fuzzy Hash: 261127B5611208FFDB609FA5DC95AAEBBBCFF04768B10846AA805D7150E3319E449BA0

Function 00803923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008433A2

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00803A04

Strings

Line: , xrefs: 008433EB

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ecb6f14db0628872de36ba330db151cffd712fc4b6b1c70c2c08a57d2933cabf
Instruction ID: cd53ddb2646827d7abb12137d815533da8ab92d2a11ea3ae3a99134aa95cd498
Opcode Fuzzy Hash: ecb6f14db0628872de36ba330db151cffd712fc4b6b1c70c2c08a57d2933cabf
Instruction Fuzzy Hash: 25319E71509304AAC765EB28EC49BEBB7ACFF40714F00462AF599C22D1EB749659C7C3

Function 0081FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00820668

Part of subcall function 008232A4: RaiseException.KERNEL32(?,?,?,0082068A,?,008D1444,?,?,?,?,?,?,0082068A,00801129,008C8738,00801129), ref: 00823304

__CxxThrowException@8.LIBVCRUNTIME ref: 00820685

Strings

Unknown exception, xrefs: 00820692

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 4c92fdc7b57730da016698fbb1dc7eb81186f729ab5f9846c17984cbdc9194a0
Instruction ID: 89637452946456fafae98775fce12132d324648d7ef0c9529e51c28d5a8f61b9
Opcode Fuzzy Hash: 4c92fdc7b57730da016698fbb1dc7eb81186f729ab5f9846c17984cbdc9194a0
Instruction Fuzzy Hash: 8BF0AF2490031DA7CB00B6A8F856DAE7B6CFE10310B604535BA24D6593EF71DAE98982

Function 008010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00801BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00801BF4
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00801BFC
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00801C07
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00801C12
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00801C1A
Part of subcall function 00801BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00801C22

Part of subcall function 00801B4A: RegisterWindowMessageW.USER32(00000004,?,008012C4), ref: 00801BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0080136A
OleInitialize.OLE32 ref: 00801388
CloseHandle.KERNEL32(00000000,00000000), ref: 008424AB

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 86ac691611fa658be3a7f54ed461e07f4acb96345998f818e464420cff46134a
Instruction ID: 62c053fbaa498c22c967736a51d5f3170d64f3c78805b9d86a5d442e76b34cb8
Opcode Fuzzy Hash: 86ac691611fa658be3a7f54ed461e07f4acb96345998f818e464420cff46134a
Instruction Fuzzy Hash: 037187B4A12200AECF84EFA9B94D6593BF6FF88354744832BD11AC72A2EB384444CF45

Function 0086C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00803923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00803A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0086C259
KillTimer.USER32(?,00000001,?,?), ref: 0086C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0086C270

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 13814ad846350d14d3e01af308a80383a92d67cdee6c1ad746176a0ac16342ff
Instruction ID: 4d921400b69d4f6fd7d02e110b93c162a6f87889c6490365e6d47badf3786ea2
Opcode Fuzzy Hash: 13814ad846350d14d3e01af308a80383a92d67cdee6c1ad746176a0ac16342ff
Instruction Fuzzy Hash: 40317370904354AFEB229F649895BE7BBECFF06308F05049AD6DAE7241C7745A84CB51

Function 008386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008385CC,?,008C8CC8,0000000C), ref: 00838704
GetLastError.KERNEL32(?,008385CC,?,008C8CC8,0000000C), ref: 0083870E
__dosmaperr.LIBCMT ref: 00838739

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 21309dbe6dca1ae4e4102069e98f4c453672324aaad13dd10268e1ee61547072
Instruction ID: f0885a963a080055d05a60c6c3498d49ef7968c0b0763da95a441824c0ec279c
Opcode Fuzzy Hash: 21309dbe6dca1ae4e4102069e98f4c453672324aaad13dd10268e1ee61547072
Instruction Fuzzy Hash: C0012B3260572097D6246338694A77E6759FBD2778F39021EF815CB2D2EEA18C8181D1

Function 0080DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0080DB7B
DispatchMessageW.USER32(?), ref: 0080DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080DB9F
Sleep.KERNELBASE(0000000A), ref: 0080DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00851CC9

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 06a05c2dae178bb6d1111eaeb21bdc19206b2b841cf06b682827c9775ebc1dfc
Instruction ID: ec411767df4fc7244570706bf412f2cc5cca364a82466a9981ea089c9b6cad3e
Opcode Fuzzy Hash: 06a05c2dae178bb6d1111eaeb21bdc19206b2b841cf06b682827c9775ebc1dfc
Instruction Fuzzy Hash: 5CF05430604344ABEB70D7E48C59FEA73ACFF44311F144625E619C30C0DB319448DB15

Function 00811310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008117F6

Strings

CALL, xrefs: 008117C6

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5842a04dc6e0e50ceb941b78636d83e1a7a00534be11339da4b57cda01f3b49e
Instruction ID: 9868fa37f90d6841fdd3669ee0d46e6c3ed874c22d7e9ae8ab0515bd073cec81
Opcode Fuzzy Hash: 5842a04dc6e0e50ceb941b78636d83e1a7a00534be11339da4b57cda01f3b49e
Instruction Fuzzy Hash: 3F228D706082019FCB14DF18C484AAABBF6FF95314F54896DF996CB3A2D731E895CB42

Function 00802DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00842C8C

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

Part of subcall function 00802DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00802DC4

Strings

X, xrefs: 00842C5A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: ce6e067db539c5657cd144fc15c87f1502aa9ccafb65463d04e9e09ce6bcea27
Instruction ID: 657a949650e6b9a07b9e89d19888cb7476467baa411abfc62a6e88b36d5fbdee
Opcode Fuzzy Hash: ce6e067db539c5657cd144fc15c87f1502aa9ccafb65463d04e9e09ce6bcea27
Instruction Fuzzy Hash: AB218471A0025C9ADB45EF98CC49BDE7BB8FF49314F00405AE505E7281DBB499998B61

Function 00803837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00803908

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6f05aed33059bec3cc3b049dfa6284592dd6b61976aed1f7d528db3b04ff4fa6
Instruction ID: c20cf37dd8f66fe58e95674bc7b76054eaabd340bfa437d5d3ab82625db6c552
Opcode Fuzzy Hash: 6f05aed33059bec3cc3b049dfa6284592dd6b61976aed1f7d528db3b04ff4fa6
Instruction Fuzzy Hash: D3317C706057019FD760DF24D888797BBE8FB49708F000A6EF59AC3390E775AA44CB52

Function 0081F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0081F661

Part of subcall function 0080D730: GetInputState.USER32 ref: 0080D807

Sleep.KERNEL32(00000000), ref: 0085F2DE

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 10d35a0785a306a4af7e216dc1ce67300e643d9a9960b2e10a3d8437284135ee
Instruction ID: ff47775cdeee85e1e4db5ff9c95332c2723e9bcc165af3a88bf0988aa738ec2b
Opcode Fuzzy Hash: 10d35a0785a306a4af7e216dc1ce67300e643d9a9960b2e10a3d8437284135ee
Instruction Fuzzy Hash: E8F08C71240205AFD350FF69D849B6AB7E8FF49761F00006AE85DC73A1DB70AC00CB91

Function 00804ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00804E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00804EDD,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E9C
Part of subcall function 00804E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00804EAE
Part of subcall function 00804E90: FreeLibrary.KERNEL32(00000000,?,?,00804EDD,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804EFD

Part of subcall function 00804E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00843CDE,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E62
Part of subcall function 00804E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00804E74
Part of subcall function 00804E59: FreeLibrary.KERNEL32(00000000,?,?,00843CDE,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E87

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: e3f93ca5fbeff3a724c9f63929a43d1cf516271c9ca1bdfe460d024ae6886496
Instruction ID: d38c14d517267b7300559f5c2ac08fea5fdae2bfdf3748b07cb449f584851da8
Opcode Fuzzy Hash: e3f93ca5fbeff3a724c9f63929a43d1cf516271c9ca1bdfe460d024ae6886496
Instruction Fuzzy Hash: DB1123B2640206AACF20BB68DC03FAD77A5FF40711F10842EF642E61C1EEB19A049B52

Function 00838402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00838440

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 23706d2a297f3054b8549b17d697751e836af98166d6b4cd67e14e08a24c0a23
Instruction ID: ee36ca4796ca84cd5fd59d3020713b597c47fa7d0358672cb5abb6f49d926f20
Opcode Fuzzy Hash: 23706d2a297f3054b8549b17d697751e836af98166d6b4cd67e14e08a24c0a23
Instruction Fuzzy Hash: 5711067590420AEFCF15DF58E94199A7BF9FF88314F104059F808EB312DA31DA118BA5

Function 0082E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 851a8655385276aef9014ca9ce64b1e2fe5f639e1a4de4827b2490e01f03d140
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8DF0D132510A34A6C6313E6DAC15B5A3798FFA2335F100725F821D22D2DA74A881C6EA

Function 00833820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 56d55048caafc8db54be9552bb9301890e2d316415faa0e301810620c93acae8
Instruction ID: ade356c16376ee50ecaadcf1537fccf20bfd578f0ce23805217619a57c4369bf
Opcode Fuzzy Hash: 56d55048caafc8db54be9552bb9301890e2d316415faa0e301810620c93acae8
Instruction Fuzzy Hash: 06E0E531101234A7EA212AAAAC04B9A3748FFC27B0F050131BD14D25A1CB61DE0181E5

Function 00804F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804F6D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b0e4c6d1fa0a2395400e2e887635ccf2422077867cfcc4acf2937a3a59b3e05c
Instruction ID: c35af79f8ac3e735dea3417aff2224d6032f1dfb26fe883ad36175beb715972c
Opcode Fuzzy Hash: b0e4c6d1fa0a2395400e2e887635ccf2422077867cfcc4acf2937a3a59b3e05c
Instruction Fuzzy Hash: 02F039B1145752CFDB749F64E890822BBE4FF14329324997EE3EAC2661CB329884DF10

Function 00892A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00892A66

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 92ae2fce7b99156ddbfc3fe7785e7ac71f9798c135d3c53e1a8964c88c7cbaf9
Instruction ID: 7ad4ea13fd6c14b8da59927921890f427722dd9813a916345d1c6b540b221861
Opcode Fuzzy Hash: 92ae2fce7b99156ddbfc3fe7785e7ac71f9798c135d3c53e1a8964c88c7cbaf9
Instruction Fuzzy Hash: 9AE04F7735412ABACB14FA34DC809FE779CFB61399714453AAC1AC2540DB30999586A0

Function 008030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0080314E

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b529ff287568d5dd85abaf739331581522f65a099f799e06fddbdeb53eba6e2c
Instruction ID: b072315c2716c10c96f63da866f502b2f2b74f40f035ce41a88a95f6fe2df49e
Opcode Fuzzy Hash: b529ff287568d5dd85abaf739331581522f65a099f799e06fddbdeb53eba6e2c
Instruction Fuzzy Hash: 97F03770A14314AFEB56DB24DC497D57BBCBB05708F0401E6E548D6291D7745788CF51

Function 00802DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00802DC4

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fd9e3334b28eb8db331c67e95b5d439942c68ca17e72d7b68a4adad76397c1cb
Instruction ID: 858986f5f442de7eb73410e9bfff685936a779b7384f81cf979899d16d2aa7b8
Opcode Fuzzy Hash: fd9e3334b28eb8db331c67e95b5d439942c68ca17e72d7b68a4adad76397c1cb
Instruction Fuzzy Hash: 72E0CD726001245BCB10E79C9C05FDA77DDFFC8790F040071FD09D7248DE60AD848551

Function 00802B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00803837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00803908

Part of subcall function 0080D730: GetInputState.USER32 ref: 0080D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00802B6B

Part of subcall function 008030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0080314E

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f13a2bab8090b92138c915b30f968fa9d90ed55c0323cb25ec8249f670abcecf
Instruction ID: d85155a290440a413154086bf87ec154194f5424e485b5572ed7ecf39822d219
Opcode Fuzzy Hash: f13a2bab8090b92138c915b30f968fa9d90ed55c0323cb25ec8249f670abcecf
Instruction Fuzzy Hash: DEE04F2120424416CA44BBA89C5656DA75AFF95351F40563FF142C22E3CE6545494253

Function 0084039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00840704,?,?,00000000,?,00840704,00000000,0000000C), ref: 008403B7

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28f5b7073634626168d1ec16c08f0a2673901c4679c8af837fba16f76b82ff53
Instruction ID: f542be9cb611d7b903a5267135741704c902b5721b6b4d412979159f1caed584
Opcode Fuzzy Hash: 28f5b7073634626168d1ec16c08f0a2673901c4679c8af837fba16f76b82ff53
Instruction Fuzzy Hash: 74D06C3204010DBBDF029F84DD06EDA3BAAFB48714F014000BE1856020C732E821AB94

Function 00801CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00801CBC

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b9bb6e47159819e35484c1c813c1d92e16a87c426a3aee45bdde00d31f55fc3d
Instruction ID: ef5b4b9eb0b2dccfee2f2b68eaf0e31366e84edc7afcb3ac560b13a00a23b26f
Opcode Fuzzy Hash: b9bb6e47159819e35484c1c813c1d92e16a87c426a3aee45bdde00d31f55fc3d
Instruction Fuzzy Hash: E2C09236281304AFF6189B84BC4EF107764B758B00F488203F609A96E3C3A22820EA50

Non-executed Functions

Function 00899576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0089961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0089965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0089969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008996C9
SendMessageW.USER32 ref: 008996F2
GetKeyState.USER32(00000011), ref: 0089978B
GetKeyState.USER32(00000009), ref: 00899798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008997AE
GetKeyState.USER32(00000010), ref: 008997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008997E9
SendMessageW.USER32 ref: 00899810
SendMessageW.USER32(?,00001030,?,00897E95), ref: 00899918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0089992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00899941
SetCapture.USER32(?), ref: 0089994A
ClientToScreen.USER32(?,?), ref: 008999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008999D6
ReleaseCapture.USER32 ref: 008999E1
GetCursorPos.USER32(?), ref: 00899A19
ScreenToClient.USER32(?,?), ref: 00899A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00899A80
SendMessageW.USER32 ref: 00899AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00899AEB
SendMessageW.USER32 ref: 00899B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00899B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00899B4A
GetCursorPos.USER32(?), ref: 00899B68
ScreenToClient.USER32(?,?), ref: 00899B75
GetParent.USER32(?), ref: 00899B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00899BFA
SendMessageW.USER32 ref: 00899C2B
ClientToScreen.USER32(?,?), ref: 00899C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00899CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00899CDE
SendMessageW.USER32 ref: 00899D01
ClientToScreen.USER32(?,?), ref: 00899D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00899D82

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

GetWindowLongW.USER32(?,000000F0), ref: 00899E05

Strings

@GUI_DRAGID, xrefs: 0089997D
F, xrefs: 00899D07

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 621e95c1e8588867a217cee80fc642b7ca3ac2ba02599fd8a2a5764f0ab8dff9
Instruction ID: 4dfad334bc93eb3ba9dd3ee529ce6535f040f422421d5450656af47f70d62004
Opcode Fuzzy Hash: 621e95c1e8588867a217cee80fc642b7ca3ac2ba02599fd8a2a5764f0ab8dff9
Instruction Fuzzy Hash: E4429F35204201AFDB25EF68CC58EAABBE5FF59314F18061EF599C72A1E731E850CB52

Function 00894873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00894908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00894927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0089494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0089495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0089497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00894A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00894A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00894A7E
IsMenu.USER32(?), ref: 00894A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00894AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00894B20
GetWindowLongW.USER32(?,000000F0), ref: 00894B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00894BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00894C82
wsprintfW.USER32 ref: 00894CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00894CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00894CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00894D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00894D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00894D5A

Strings

%d/%02d/%02d, xrefs: 00894CA8

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 43831b3a212eff65d76d3b4d3b6e7aecf9cbe41bb26af5fabeaba4f33cc0a75c
Instruction ID: 16b06ea0a39e2583efc46c3c182997a1da7e3fcbf883a6743c7f9008560b14ff
Opcode Fuzzy Hash: 43831b3a212eff65d76d3b4d3b6e7aecf9cbe41bb26af5fabeaba4f33cc0a75c
Instruction Fuzzy Hash: 2812EE71600218AFEF25AF28CC49FAE7BE8FF45314F185129F516EA2E1DB749942CB50

Function 0081F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0081F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085F474
IsIconic.USER32(00000000), ref: 0085F47D
ShowWindow.USER32(00000000,00000009), ref: 0085F48A
SetForegroundWindow.USER32(00000000), ref: 0085F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0085F4AA
GetCurrentThreadId.KERNEL32 ref: 0085F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0085F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0085F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0085F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0085F4DE
SetForegroundWindow.USER32(00000000), ref: 0085F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F4F6
keybd_event.USER32(00000012,00000000), ref: 0085F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F50B
keybd_event.USER32(00000012,00000000), ref: 0085F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F519
keybd_event.USER32(00000012,00000000), ref: 0085F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0085F528
keybd_event.USER32(00000012,00000000), ref: 0085F52D
SetForegroundWindow.USER32(00000000), ref: 0085F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0085F557

Strings

Shell_TrayWnd, xrefs: 0085F46F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 103f0fa4a5e4cf637bd3ea3fd194522977abf9fc27ac0430a3edf67059e447bb
Instruction ID: b88f8e8369836293d9da5d45806ea2b2605b04fc6c010d4c4076a08355d9d8ed
Opcode Fuzzy Hash: 103f0fa4a5e4cf637bd3ea3fd194522977abf9fc27ac0430a3edf67059e447bb
Instruction Fuzzy Hash: DE317071A40218BBEB217BB55C4AFBF7E6CFB44B50F14002AFB00E61D1D6B15D00AA60

Function 00861201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0086170D
Part of subcall function 008616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0086173A
Part of subcall function 008616C3: GetLastError.KERNEL32 ref: 0086174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00861286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008612A8
CloseHandle.KERNEL32(?), ref: 008612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008612D1
GetProcessWindowStation.USER32 ref: 008612EA
SetProcessWindowStation.USER32(00000000), ref: 008612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00861310

Part of subcall function 008610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008611FC), ref: 008610D4
Part of subcall function 008610BF: CloseHandle.KERNEL32(?,?,008611FC), ref: 008610E9

Strings

winsta0, xrefs: 008612CC
default, xrefs: 0086130B
, xrefs: 0086125A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 36fba8bdf82bc137c1bd7b34b2d1462ff539843812c9c641543db7ca5ef99cce
Instruction ID: 20d807c726f754ab3af709cdc21bdc003827019392754ae8ae500f6c51e125b0
Opcode Fuzzy Hash: 36fba8bdf82bc137c1bd7b34b2d1462ff539843812c9c641543db7ca5ef99cce
Instruction Fuzzy Hash: D0819E71900208AFDF119FA8DC49FEE7BBAFF04704F19412AF910E62A2DB758944CB25

Function 00860B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00861114
Part of subcall function 008610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861120
Part of subcall function 008610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 0086112F
Part of subcall function 008610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861136
Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00860BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00860C00
GetLengthSid.ADVAPI32(?), ref: 00860C17
GetAce.ADVAPI32(?,00000000,?), ref: 00860C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00860C6D
GetLengthSid.ADVAPI32(?), ref: 00860C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00860C8C
HeapAlloc.KERNEL32(00000000), ref: 00860C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00860CB4
CopySid.ADVAPI32(00000000), ref: 00860CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00860CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00860D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00860D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860D45
HeapFree.KERNEL32(00000000), ref: 00860D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860D55
HeapFree.KERNEL32(00000000), ref: 00860D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860D65
HeapFree.KERNEL32(00000000), ref: 00860D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00860D78
HeapFree.KERNEL32(00000000), ref: 00860D7F

Part of subcall function 00861193: GetProcessHeap.KERNEL32(00000008,00860BB1,?,00000000,?,00860BB1,?), ref: 008611A1
Part of subcall function 00861193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00860BB1,?), ref: 008611A8
Part of subcall function 00861193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00860BB1,?), ref: 008611B7

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d62433effb1e3cd9bdc2f06102b299e1ec4c6d3dd7fa41bf73ada5e3aec13518
Instruction ID: 4f21c75884f1662eec6cdec0b87f786238c84454a043411ce855ed22a990479f
Opcode Fuzzy Hash: d62433effb1e3cd9bdc2f06102b299e1ec4c6d3dd7fa41bf73ada5e3aec13518
Instruction Fuzzy Hash: 81715A7290020AAFEF10EFA4DC48BAFBBB8FF05300F194616E915E6191D776A905CF64

Function 0087EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0089CC08), ref: 0087EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0087EB37
GetClipboardData.USER32(0000000D), ref: 0087EB43
CloseClipboard.USER32 ref: 0087EB4F
GlobalLock.KERNEL32(00000000), ref: 0087EB87
CloseClipboard.USER32 ref: 0087EB91
GlobalUnlock.KERNEL32(00000000), ref: 0087EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0087EBC9
GetClipboardData.USER32(00000001), ref: 0087EBD1
GlobalLock.KERNEL32(00000000), ref: 0087EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0087EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0087EC38
GetClipboardData.USER32(0000000F), ref: 0087EC44
GlobalLock.KERNEL32(00000000), ref: 0087EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0087EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0087EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0087ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0087ECF3
CountClipboardFormats.USER32 ref: 0087ED14
CloseClipboard.USER32 ref: 0087ED59

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: d319918019aaf93f46c68259479b6f5c07b8d6bbecea400324c32835f9950f57
Instruction ID: 584cc4240ac48c75bc97515683dc6f219c7169ab2060fb24c4c4ce5acd7d4e88
Opcode Fuzzy Hash: d319918019aaf93f46c68259479b6f5c07b8d6bbecea400324c32835f9950f57
Instruction Fuzzy Hash: F661BF342042059FD311EF68DC85F2A7BA4FF88714F18859EF45AD72A6DB32D905CBA2

Function 0087698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008769BE
FindClose.KERNEL32(00000000), ref: 00876A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00876A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00876A75

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00876AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00876ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00876B32
%02d, xrefs: 00876C00, 00876C0A, 00876C5A, 00876CAA, 00876CFA, 00876D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00876B6A
%4d, xrefs: 00876BB1
%03d, xrefs: 00876DA2

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: e9f85cce75af134d9433014a4055c05bc23cc539c5d258a64670b55d291dca0e
Instruction ID: 01f899b47229a9465e70ad03e6996172ef875e3ab2ae5a43bc91c12ab1417b37
Opcode Fuzzy Hash: e9f85cce75af134d9433014a4055c05bc23cc539c5d258a64670b55d291dca0e
Instruction Fuzzy Hash: 9DD12E72908340AEC754EBA4CC81EABB7ECFF88704F444919F589D6192EB74DA44CB63

Function 00879642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00879663
GetFileAttributesW.KERNEL32(?), ref: 008796A1
SetFileAttributesW.KERNEL32(?,?), ref: 008796BB
FindNextFileW.KERNEL32(00000000,?), ref: 008796D3
FindClose.KERNEL32(00000000), ref: 008796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0087974A
SetCurrentDirectoryW.KERNEL32(008C6B7C), ref: 00879768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00879772
FindClose.KERNEL32(00000000), ref: 0087977F
FindClose.KERNEL32(00000000), ref: 0087978F

Strings

*.*, xrefs: 008796F5

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 97f6999149a66f7aa26954e3f87959b7f1006e0086646ae05b6d2007d7aa216d
Instruction ID: e26f1727d1113ee532d5dc55384c92dfddf102de5e4d7384dbc3f200c1e00477
Opcode Fuzzy Hash: 97f6999149a66f7aa26954e3f87959b7f1006e0086646ae05b6d2007d7aa216d
Instruction Fuzzy Hash: AB31D3325412196BDF14EFB4EC48EDE77ACFF09360F148166F859E21A0EB35DE808A20

Function 0087979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00879819
FindClose.KERNEL32(00000000), ref: 00879824
FindFirstFileW.KERNEL32(*.*,?), ref: 00879840
SetCurrentDirectoryW.KERNEL32(?), ref: 00879890
SetCurrentDirectoryW.KERNEL32(008C6B7C), ref: 008798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008798B8
FindClose.KERNEL32(00000000), ref: 008798C5
FindClose.KERNEL32(00000000), ref: 008798D5

Part of subcall function 0086DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0086DB00

Strings

*.*, xrefs: 0087983B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 02f78ecf8d91d72c9300791b7d3e34b91198291bd2be9348986e5b6ca8995586
Instruction ID: c9ea57fd90de20aa36d714c4557ac3170f9bbf10353c9eb3438b5d16ef087184
Opcode Fuzzy Hash: 02f78ecf8d91d72c9300791b7d3e34b91198291bd2be9348986e5b6ca8995586
Instruction Fuzzy Hash: 5231A3315416196ADF10EFB4EC48EDE77BCFF06324F1481A6E898E21D4EB35DD848A61

Function 0088BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0088BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0088BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0088C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0088C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0088C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0088C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0088C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0088C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0088C382
RegCloseKey.ADVAPI32(00000000), ref: 0088C38F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: c873d981ad4adede54e2f962b4e84d86844ebc37b51aeacdc8cc938737d3102c
Instruction ID: af881848d26e516d9987a1cd957ccc207116f09a4ea467637697ea57727a2d1f
Opcode Fuzzy Hash: c873d981ad4adede54e2f962b4e84d86844ebc37b51aeacdc8cc938737d3102c
Instruction Fuzzy Hash: AD024D716042009FD754DF28C895E2ABBE5FF89318F18849DF449DB2A6DB31EC46CB62

Function 00878195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00878257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00878267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00878273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00878310
SetCurrentDirectoryW.KERNEL32(?), ref: 00878324
SetCurrentDirectoryW.KERNEL32(?), ref: 00878356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0087838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00878395

Strings

*.*, xrefs: 0087839B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b4db26b6674af27a51b59523c90cada6380395e80388b71a646350d83b836d5a
Instruction ID: 4b1c08d9d7f97117a60d3819a1482d3300d11a6ced6e2e1622792a6909759033
Opcode Fuzzy Hash: b4db26b6674af27a51b59523c90cada6380395e80388b71a646350d83b836d5a
Instruction Fuzzy Hash: B5616CB25043059FDB10EF68C8849AEB3E8FF89314F04891EF999C7251DB31E945CB92

Function 0086D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

Part of subcall function 0086E199: GetFileAttributesW.KERNEL32(?,0086CF95), ref: 0086E19A

FindFirstFileW.KERNEL32(?,?), ref: 0086D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0086D1DD
MoveFileW.KERNEL32(?,?), ref: 0086D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0086D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0086D237

Part of subcall function 0086D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0086D21C,?,?), ref: 0086D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0086D253
FindClose.KERNEL32(00000000), ref: 0086D264

Strings

\*.*, xrefs: 0086D0CD, 0086D0D6, 0086D0EB

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3f9f78df43a4669556f4633f822f6b6197779dcbde995f3016d41a0bf61da60b
Instruction ID: ebd2419785aef5cff6586c502c42717395fefe43213c40d5450c9b27066eb28f
Opcode Fuzzy Hash: 3f9f78df43a4669556f4633f822f6b6197779dcbde995f3016d41a0bf61da60b
Instruction Fuzzy Hash: 5B613931D012099ACF05EBA4DD929EEB779FF55300F254165E402B7292EB31AF09CB62

Function 0087ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0087ED91
EmptyClipboard.USER32 ref: 0087ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0087EDAC
CloseClipboard.USER32 ref: 0087EEA3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 45e87235d99f52ab67207674e6946b8fcd36e4878bd630c041b6868821130c48
Instruction ID: 0d7789358ef6ffc6912ae414466614b86d8f998b65973685f21bfba5c858854d
Opcode Fuzzy Hash: 45e87235d99f52ab67207674e6946b8fcd36e4878bd630c041b6868821130c48
Instruction Fuzzy Hash: D0418035604611AFE721DF19D888B19BBE5FF48318F18C49EE419CB6A2CB76EC41CB91

Function 0086E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0086170D
Part of subcall function 008616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0086173A
Part of subcall function 008616C3: GetLastError.KERNEL32 ref: 0086174A

ExitWindowsEx.USER32(?,00000000), ref: 0086E932

Strings

SeShutdownPrivilege, xrefs: 0086E902
, xrefs: 0086E95C
@, xrefs: 0086E925
, xrefs: 0086E920

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a266fe3171461b658648bdab235942d437891742a447ad1f5394e4e4666bdb56
Instruction ID: ac15834ca35ec127470f99f04e11d643c3594ee5022af1d7a6450850d5bcf320
Opcode Fuzzy Hash: a266fe3171461b658648bdab235942d437891742a447ad1f5394e4e4666bdb56
Instruction Fuzzy Hash: 1901D676610215ABFB5466B99C8AFBB776CFF14754F1B0422F812E21D2E6A25C4085A0

Function 00881204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00881276
WSAGetLastError.WSOCK32 ref: 00881283
bind.WSOCK32(00000000,?,00000010), ref: 008812BA
WSAGetLastError.WSOCK32 ref: 008812C5
closesocket.WSOCK32(00000000), ref: 008812F4
listen.WSOCK32(00000000,00000005), ref: 00881303
WSAGetLastError.WSOCK32 ref: 0088130D
closesocket.WSOCK32(00000000), ref: 0088133C

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 926abcf1a6504d74125e2c9a06768d9dc3395af7e292ef737d5bae59a205eb4b
Instruction ID: 6b5a18c7c571bb828fc009fdb67c6e8933e07eb314b25f3927a4e373a70d36eb
Opcode Fuzzy Hash: 926abcf1a6504d74125e2c9a06768d9dc3395af7e292ef737d5bae59a205eb4b
Instruction Fuzzy Hash: 004171316001109FDB10EF68C888B69BBE5FF46318F188199D856DF2D6CB71ED82CBA1

Function 0083B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0083B9D4
_free.LIBCMT ref: 0083B9F8
_free.LIBCMT ref: 0083BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008A3700), ref: 0083BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0083BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008D1270,000000FF,?,0000003F,00000000,?), ref: 0083BC36
_free.LIBCMT ref: 0083BD4B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: a0264664ee20fd0282bef5e04c6c4c39a0b5cb8bdf03b486f1a035665bfb90d8
Instruction ID: 344b03018b3c0a1ea1e6cc3d5f21414c9b8667fe3cacfdf5e83b0444ed3fb836
Opcode Fuzzy Hash: a0264664ee20fd0282bef5e04c6c4c39a0b5cb8bdf03b486f1a035665bfb90d8
Instruction Fuzzy Hash: 65C11AB1A04218AFDB20DF689C45BAABBB8FFC1320F14419AE694D7251EB319E41C7D1

Function 0086D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

Part of subcall function 0086E199: GetFileAttributesW.KERNEL32(?,0086CF95), ref: 0086E19A

FindFirstFileW.KERNEL32(?,?), ref: 0086D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0086D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0086D481
FindClose.KERNEL32(00000000), ref: 0086D498
FindClose.KERNEL32(00000000), ref: 0086D4A1

Strings

\*.*, xrefs: 0086D3F2

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 7fc9811891ec2939239999124fa23b85e069347779c6b10647fbee5f5344f65d
Instruction ID: ef371fc391cc56e1a5ee749458786d29855e32ea633d8113016824696267fcc8
Opcode Fuzzy Hash: 7fc9811891ec2939239999124fa23b85e069347779c6b10647fbee5f5344f65d
Instruction Fuzzy Hash: 95316D315083459BC204EF68DC919AFB7A8FE91304F454A2EF4D1D2291EB31AA098B67

Function 0083E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0083E645

Strings

1#INF, xrefs: 0083F852
1#SNAN, xrefs: 0083F844
1#IND, xrefs: 0083F83D
1#QNAN, xrefs: 0083F84B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ce27de4e4eba6133a24b1c6175196eb8df05a0d12fadbfbc29b5a2696864ac8e
Instruction ID: 686beceb53efb13a4d3c78f2d3f61a561f2826303e12655410b3a97e3e5d6cb6
Opcode Fuzzy Hash: ce27de4e4eba6133a24b1c6175196eb8df05a0d12fadbfbc29b5a2696864ac8e
Instruction Fuzzy Hash: 7EC22A71E086298FDB25CE28DD407EAB7B5FB85305F1441EAD94DE7281E774AE818F80

Function 0087648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008764DC
CoInitialize.OLE32(00000000), ref: 00876639
CoCreateInstance.OLE32(0089FCF8,00000000,00000001,0089FB68,?), ref: 00876650
CoUninitialize.OLE32 ref: 008768D4

Strings

.lnk, xrefs: 008764BA, 00876524, 008765E0

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 73b4f3bfc89af78b3dfe7a2b0fe1b873102d47f84e862e5e9a35c9c55516300d
Instruction ID: 134dcfa0e9f99065f84fd03d9d2140a88952747ba9913d21ef05a93a04cfdf63
Opcode Fuzzy Hash: 73b4f3bfc89af78b3dfe7a2b0fe1b873102d47f84e862e5e9a35c9c55516300d
Instruction Fuzzy Hash: B8D149715086019FD304EF28C881E6BB7E8FF94704F14896DF599CB2A2EB71E905CB92

Function 008822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008822E8

Part of subcall function 0087E4EC: GetWindowRect.USER32(?,?), ref: 0087E504

GetDesktopWindow.USER32 ref: 00882312
GetWindowRect.USER32(00000000), ref: 00882319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00882355
GetCursorPos.USER32(?), ref: 00882381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008823DF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b6f1770371e08de991a8f0dfe43309d78827c13ebe70437a3f2f8ef6838d83bb
Instruction ID: d9ee9779b0a4849d4d521afedabb6632b5bacc31187ad13609e581363ca30d6b
Opcode Fuzzy Hash: b6f1770371e08de991a8f0dfe43309d78827c13ebe70437a3f2f8ef6838d83bb
Instruction Fuzzy Hash: 9031C072504315AFDB20EF58C849B5BBBA9FF88314F04091EF985D7291DB35EA09CB92

Function 00879B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00879B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00879C8B

Part of subcall function 00873874: GetInputState.USER32 ref: 008738CB
Part of subcall function 00873874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00873966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00879BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00879C75

Strings

*.*, xrefs: 00879B5D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7a8a3b02f30c80e2e894b95e9bfd6ca01c906199275f706b808db93a1bd73084
Instruction ID: 4a7401e61ada8a65dee9a6d63e58f4c40206a92feb258a96267a9eb12e97c458
Opcode Fuzzy Hash: 7a8a3b02f30c80e2e894b95e9bfd6ca01c906199275f706b808db93a1bd73084
Instruction Fuzzy Hash: 714160719002099FCF55DFA4C985AEE7BB8FF45310F148056E459E2295EB31DE84CF61

Function 0081997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00819A4E
GetSysColor.USER32(0000000F), ref: 00819B23
SetBkColor.GDI32(?,00000000), ref: 00819B36

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 65a19ffa38e755fa767c406ca18e92316610faa377d283b5273b4e0cdc9c22e5
Instruction ID: 18a9a1c448ef53062bb65152a896cdd3a9a2485c19b64d10f9fbbe091fc0b4fc
Opcode Fuzzy Hash: 65a19ffa38e755fa767c406ca18e92316610faa377d283b5273b4e0cdc9c22e5
Instruction Fuzzy Hash: BEA15070209428BEEB24AA3CAC78DFB3B9DFF46315F154219F582C65D1CA259D89C272

Function 00881806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0088304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0088307A
Part of subcall function 0088304E: _wcslen.LIBCMT ref: 0088309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0088185D
WSAGetLastError.WSOCK32 ref: 00881884
bind.WSOCK32(00000000,?,00000010), ref: 008818DB
WSAGetLastError.WSOCK32 ref: 008818E6
closesocket.WSOCK32(00000000), ref: 00881915

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 4a0a809bd0998ededee9df1843f0bb4ea965c4825c47c899ddcf615fdf6e0730
Instruction ID: e7f947592fb5f0070e0c12a96070e10750b3599033c47749e5424763892cd7d8
Opcode Fuzzy Hash: 4a0a809bd0998ededee9df1843f0bb4ea965c4825c47c899ddcf615fdf6e0730
Instruction Fuzzy Hash: C7518371A002105FDB10AF28CC86F6A77A9FB44718F588458F905DF3D3DB71AD428BA2

Function 00891C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00891CC0
IsWindowEnabled.USER32 ref: 00891CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00891CDB
IsIconic.USER32 ref: 00891CE9
IsZoomed.USER32 ref: 00891CF7

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 435ea4b1ff01736312d3c99cebcefa362a0222bff224ad69b826c4de7f18e4a7
Instruction ID: ddaba73d0a6ceae8e1d476cd8142ed484735ecb23f0109df123062870c0ffbb2
Opcode Fuzzy Hash: 435ea4b1ff01736312d3c99cebcefa362a0222bff224ad69b826c4de7f18e4a7
Instruction Fuzzy Hash: 6A21D3317442129FDF20AF1AC848B2A7BE5FF95318B1D8059E846CB351CB72DC42CB91

Function 00808060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0080843C
ERCP, xrefs: 0080813C
VUUU, xrefs: 008083FA
VUUU, xrefs: 00845DF0
VUUU, xrefs: 008083E8

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 95bc62f3580060281f09128345f675412b20366f994538af123f86bc04333123
Instruction ID: 3b3dd99da8861e26a3987a59232d8ce8d8b0a14941ef4c943b959940685adc81
Opcode Fuzzy Hash: 95bc62f3580060281f09128345f675412b20366f994538af123f86bc04333123
Instruction Fuzzy Hash: A8A27A70A0061ECBDF64CF58C8807AEB7B1FB55314F2481AAE855EB285EB709DD1CB91

Function 0086AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0086AAAC
SetKeyboardState.USER32(00000080), ref: 0086AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0086AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0086AB88

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 588cec356938de7cfd354f79f5b0db7725518352d4d6ce343e230b23fb5b4a76
Instruction ID: 9dcf8dbf4dbfa9a95d44f0c84481312140815c2d838397e5773c0b4fde7e69db
Opcode Fuzzy Hash: 588cec356938de7cfd354f79f5b0db7725518352d4d6ce343e230b23fb5b4a76
Instruction Fuzzy Hash: 5D31E930A40258AEEB39CA658C05BFE77AAFB45320F09421BE581E61D1D3758D81CB62

Function 0087CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0087CE89
GetLastError.KERNEL32(?,00000000), ref: 0087CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0087CEFE

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: da3c6a52b92d52a2a032a3c8e81b2a7bcb04ce65d2a391ac6c1fbf2939cdb6d6
Instruction ID: 9f6b8e5111f4480a9c4657fd66ec2d8447cc26eda142071f86c824e4cc9cafb9
Opcode Fuzzy Hash: da3c6a52b92d52a2a032a3c8e81b2a7bcb04ce65d2a391ac6c1fbf2939cdb6d6
Instruction Fuzzy Hash: F421BDB2500705ABEB20DFA5D948BA67BF8FB40318F14841EE54AD3151EB70EE448B64

Function 00868298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008682AA

Strings

|, xrefs: 008682DA
(, xrefs: 008682F0

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 24adef32047e4693e8d1e05cf00643a6fa91849be30de5598781f76bca59355b
Instruction ID: d1affc789cc6421f5b09e81682a8c8e940ee40adff9efae5861c8516cbef0a4c
Opcode Fuzzy Hash: 24adef32047e4693e8d1e05cf00643a6fa91849be30de5598781f76bca59355b
Instruction Fuzzy Hash: 20322575A00605DFCB28CF59C481A6AB7F0FF48710B16C56EE59ADB3A1EB70E981CB44

Function 00875C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00875CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00875D17
FindClose.KERNEL32(?), ref: 00875D5F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b6bb4f42b030529145e7570d554315ee33145da18d8ed5ec01ce110f13a5cf32
Instruction ID: efdf8c1a0c0654c0867f0a53b90f68acd0fc49cd5cc0154d34e7408be7f7c61a
Opcode Fuzzy Hash: b6bb4f42b030529145e7570d554315ee33145da18d8ed5ec01ce110f13a5cf32
Instruction Fuzzy Hash: 5051BA746046019FC714DF28C894A9ABBE4FF49324F14856EE95ACB3A1CB70ED40CB92

Function 00832622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0083271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00832724
UnhandledExceptionFilter.KERNEL32(?), ref: 00832731

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1ce0f3ebde2558050c99fab63e28487e46dbb554a95fdb6779385fa61dcfbb21
Instruction ID: 3c021ff568d1ec4ef0a75738594c4081cf33f7d95a83af66ddd7fd7e2613ce5e
Opcode Fuzzy Hash: 1ce0f3ebde2558050c99fab63e28487e46dbb554a95fdb6779385fa61dcfbb21
Instruction Fuzzy Hash: 5D31B574911228ABCB21DF68DC89B9DB7B8FF08310F5041EAE41CA7261E7309F818F85

Function 008751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00875238
SetErrorMode.KERNEL32(00000000), ref: 008752A1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 63f6685ecf4888ff5cac6b9bbb711e6d5d452df52bc9c64384f97e183b67bfc7
Instruction ID: bb89905c11349c876eaa67802d4d065066564aa5e06f4f7767b823a10e6a921c
Opcode Fuzzy Hash: 63f6685ecf4888ff5cac6b9bbb711e6d5d452df52bc9c64384f97e183b67bfc7
Instruction Fuzzy Hash: F8315075A10518DFDB00DF54D884EADBBB4FF49314F088099E809EB3A6DB71E855CB51

Function 008616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0081FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00820668
Part of subcall function 0081FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00820685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0086170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0086173A
GetLastError.KERNEL32 ref: 0086174A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 82f47123c578ad1febd214c7c98ccdde6496f2889a86c43849ffc528613cea10
Instruction ID: 62802138ec7b6675de4dc6f7970ea56ad67835db64e11986f0347396190386ad
Opcode Fuzzy Hash: 82f47123c578ad1febd214c7c98ccdde6496f2889a86c43849ffc528613cea10
Instruction Fuzzy Hash: 431194B1414304AFD718AF54EC86D6AB7FDFF44754B25852EE05697242EB71BC418B20

Function 0086D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0086D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0086D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0086D650

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b682fa2acc8493f274b8b0c75dc11d89a81255b122d55a342af71a778ffc2af5
Instruction ID: f11bcf2553f23c0a3bf1d4f5624645fd8c08b5084c687c2187ff23c2a3d5c4ff
Opcode Fuzzy Hash: b682fa2acc8493f274b8b0c75dc11d89a81255b122d55a342af71a778ffc2af5
Instruction Fuzzy Hash: 96113C75E05228BBDB109F95DC45FAFBBBCFB45B50F108116F904E7290D6704A058BA1

Function 00861663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0086168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008616A1
FreeSid.ADVAPI32(?), ref: 008616B1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3e7128029bf6c946813faaad9242501ec79b12245be98137c051caab8f310551
Instruction ID: a7da07d414d6a7fd21fc4433fe0b05f2fa5293521c51aba122777206fffe30c8
Opcode Fuzzy Hash: 3e7128029bf6c946813faaad9242501ec79b12245be98137c051caab8f310551
Instruction Fuzzy Hash: DFF04471940308FBDF00DFE0CC89AAEBBBCFB08200F444561E500E2181E331AA048A50

Function 0083C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0083C36C

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: ea7df74e7027890b8b35bf07abffc82a2ce1c0a10e95aa620c8889909b9e582d
Instruction ID: 68149ccd9537026fb90f2fc436b9d9eada738fc04b16e23d8c145525969820e7
Opcode Fuzzy Hash: ea7df74e7027890b8b35bf07abffc82a2ce1c0a10e95aa620c8889909b9e582d
Instruction Fuzzy Hash: 1C412976500219AFCB20AFB9DC49EBB7778FBC4314F104269F915E7280E671AD81CB90

Function 0085D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0085D28C

Strings

X64, xrefs: 0085D2A8

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 19832a0e65cb8c5836cb0f6e0bc5ea71a6a2cf1d898858ea7884f35ae35a2985
Instruction ID: bd0ac06d9508a343db7f3ba78b81d2b403821f336ed01250883706eb99257cff
Opcode Fuzzy Hash: 19832a0e65cb8c5836cb0f6e0bc5ea71a6a2cf1d898858ea7884f35ae35a2985
Instruction Fuzzy Hash: 03D0C9B580121DEECB90DB90DC88DDDB37CFB14309F100152F506E2000D77095888F20

Function 0082CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f2aa0fe9e9059a15c8425f1af599375e69d62a3e133fc26f66cbdba368b5e429
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 54021C71E002299FDF14CFA9D9806ADFBF1FF48314F25816AD919E7384D731AA418B94

Function 008768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00876918
FindClose.KERNEL32(00000000), ref: 00876961

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0f5f8c5049dc413808173455c6e59ab398d04ba4c575f66ba586b308f9589af2
Instruction ID: a60508f264e26a83e73f7f753078cc956bfa24cce52069b43c1e846ecf2c9ce5
Opcode Fuzzy Hash: 0f5f8c5049dc413808173455c6e59ab398d04ba4c575f66ba586b308f9589af2
Instruction Fuzzy Hash: AB11D0716046019FD710DF69C884A16BBE0FF85328F04C699E569CF2A2DB30EC05CB91

Function 008737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00884891,?,?,00000035,?), ref: 008737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00884891,?,?,00000035,?), ref: 008737F4

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 722740b2644e27acaccb382b5e98dfcdd1f5d768deb1aa86e37b746d101a3684
Instruction ID: dd8cd9e687c77dd36f09abbc6bf856af361872b09cb788174330d8bf48220afd
Opcode Fuzzy Hash: 722740b2644e27acaccb382b5e98dfcdd1f5d768deb1aa86e37b746d101a3684
Instruction Fuzzy Hash: 3AF0E5B16042282AEB2027AA8C4DFEB7BAEFFC47A1F000175F509D2295D9609944C6B1

Function 0086B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0086B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0086B270

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 27e21a9d27efdbaf107d1c908c621361015e0344f4a5cf3e3d461575df146434
Instruction ID: 8b2aedcd040cdade5e5283a0df271c4758d7e04c076a8c97a427e9974c358498
Opcode Fuzzy Hash: 27e21a9d27efdbaf107d1c908c621361015e0344f4a5cf3e3d461575df146434
Instruction Fuzzy Hash: 50F01D7180428DABDB059FA4C805BAE7BB4FF04309F04801AF955E6192D37986519F94

Function 008610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008611FC), ref: 008610D4
CloseHandle.KERNEL32(?,?,008611FC), ref: 008610E9

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5ec5a6e37c9e1f3448c14253a66143a6ba01c91b8be0859dfb638cf85d533df5
Instruction ID: c074f0106ccf55d0e81fe8cdd1e71f95a064e6ae8576e3ffa5beb798b5d5f41e
Opcode Fuzzy Hash: 5ec5a6e37c9e1f3448c14253a66143a6ba01c91b8be0859dfb638cf85d533df5
Instruction Fuzzy Hash: 9FE0BF72018610AEEB252B55FC09EB777ADFF04310F14882EF5A5C44B2DB626CE0DB50

Function 0080CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00850C40

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: c9a4a5e9926e7f30580fbdd55e64c64179c3c509790261f185c13fc57524ee8a
Instruction ID: 8fe08dab713c76f5de7f01ba4046d45e0028951cc2dc2934800c3afd61f7698d
Opcode Fuzzy Hash: c9a4a5e9926e7f30580fbdd55e64c64179c3c509790261f185c13fc57524ee8a
Instruction Fuzzy Hash: C8327A709002199BDF54DF94CC81AEDB7B5FF05308F248259E806EB292DB75AE49CB62

Function 0083676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00836766,?,?,00000008,?,?,0083FEFE,00000000), ref: 00836998

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9ef20272725ccb1ba4ff81572000064edb7b6365c891131d7e10b2a9af9af5fb
Instruction ID: 3129cfaf292cd8a17dc6eef98c13f0a170d9d4d8de728a77415133a560e28cef
Opcode Fuzzy Hash: 9ef20272725ccb1ba4ff81572000064edb7b6365c891131d7e10b2a9af9af5fb
Instruction Fuzzy Hash: E6B13C31510608AFD715CF2CC48AB657BE0FF85368F29C658E899CF2A1D735D9A1CB80

Function 0081B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0085851F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1fa14a5a3d7e47f70f95a745785b23aad4866b4a5711a732748a28da5dc3acfa
Instruction ID: 613aee88545ad06c2233233c90affc102db9ab2150d9582b963bd0b763788c96
Opcode Fuzzy Hash: 1fa14a5a3d7e47f70f95a745785b23aad4866b4a5711a732748a28da5dc3acfa
Instruction Fuzzy Hash: 4B124D75A00229DFDB14CF58C8816EEB7F9FF48710F14819AE849EB255EB309A85CF94

Function 0087EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0087EABD

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1623706e68e435f385750653efb2d66cc71cc881ae68a1b5b9b1ac4f87ed5325
Instruction ID: 7edca3f50e56218e8c7655692231890a5debdd309fb27251d0e65c306da58547
Opcode Fuzzy Hash: 1623706e68e435f385750653efb2d66cc71cc881ae68a1b5b9b1ac4f87ed5325
Instruction Fuzzy Hash: ABE01A312002149FD710EF59D804E9AF7E9FFA8764F00845AFC49C72A1DAB0E8408B91

Function 008209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008203EE), ref: 008209DA

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72f2f024fc57364b3d8e3aa80dbb46c941a7864329444faa6013a7dbfec51bf3
Instruction ID: e1fa39588e1e3347f5ed8d0e1487884ade553280bafc22b6ab96953bc72e71dd
Opcode Fuzzy Hash: 72f2f024fc57364b3d8e3aa80dbb46c941a7864329444faa6013a7dbfec51bf3
Instruction Fuzzy Hash:

Function 0082781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0082798B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: edeef3a6df98354cf6398ee62cb59c2d837931699ab6cc4e94fd2372fa56d3bf
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 8D51687160C779ABDF38852FB85E7BE2B85FB12304F180529D982D7282C619DEC1D35A

Function 00836DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe64c9f4154901a9869231e4e7f9695f17aa3335ed4a72449c09a87376d7af06
Instruction ID: 2be5aa7028b62ed2b9990df0df2a844ba1f484298e0fef4bd8d5087f4f46a37d
Opcode Fuzzy Hash: fe64c9f4154901a9869231e4e7f9695f17aa3335ed4a72449c09a87376d7af06
Instruction Fuzzy Hash: D3320162D29F414DE7339638C822326A649BFB73C5F15D737E81AB5DAAEB29C4834140

Function 0081CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f831e98dd76cbdc84b43d0b7fe64e9e87da2505132414c7899a798a54f94900
Instruction ID: 99b0ea8f014adf4e6326ce671b3f657542b712ace2015e8d9fd788824e204e7f
Opcode Fuzzy Hash: 9f831e98dd76cbdc84b43d0b7fe64e9e87da2505132414c7899a798a54f94900
Instruction Fuzzy Hash: 2132F431A003198FCF24CE69C4946BD7BA5FF85316F28856ADC4ADB291E2349D89DF81

Function 00807920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e0d0ecfaee7f1d070f705829271dc7732e7ecadd0437195040d640e104ae40
Instruction ID: 75eb1b25eadff4600adc9687aaae64e109a22568677e8fd50e535c8b03938a65
Opcode Fuzzy Hash: b0e0d0ecfaee7f1d070f705829271dc7732e7ecadd0437195040d640e104ae40
Instruction Fuzzy Hash: B722BFB0E04609DFDF14CF68D881AAEB7B5FF44314F144629E812EB292EB36AD51CB51

Function 008091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabf047289da0167ee5ae5bed9b28150659a6240f09d3ea052048749a9762802
Instruction ID: 258cb85d8c72eb4206dfaa907432aa3516fc5c227726a5e7a9b5d9619d693f2b
Opcode Fuzzy Hash: cabf047289da0167ee5ae5bed9b28150659a6240f09d3ea052048749a9762802
Instruction Fuzzy Hash: 7002C6B0E00219EFDB04DF68D881AAEB7B5FF54304F118169E856DB3D1EB31AA51CB81

Function 00839EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce09e9ffcee83886b5096b0d671f476b094aa1d41e17651a698c29029bdaff1f
Instruction ID: 86cd61484df1f2c904e3e7c396a8ca7c50867afb98fcbe871cf1d85b779af105
Opcode Fuzzy Hash: ce09e9ffcee83886b5096b0d671f476b094aa1d41e17651a698c29029bdaff1f
Instruction Fuzzy Hash: 56B1DF20D2AF414DE62396399831336F65CBFBB6D5F91D71BFC6674E22EB2286834140

Function 00821C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: d8a11d8c7833d68d7b1df5f0147c65f138085518af589c30722cf97e521f7f57
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 97915A766080B34ADF294639A57C07EFFE1FA623A132A079DD4F2CA1C5EE2495D4D620

Function 00821F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 60b710e42ba0ce8eb404f3b2ead8630569d9d186b4190b6f7edda9a8af3d3c30
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0B9177732090B359DB2D4239957843EFFE1EA923A131A079DD4F2CB1D5EE24D9E4D620

Function 008219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9560c3b2c3a9317b541f1613249dfe0784b273607c787e0b561794dd0b728e29
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D79124722090B349DF69467AA57C03DFEF1EAA23B536A07AED4F3CA1C1FD1485D49620

Function 00827A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8372bc9bbc3ad6769b2c8ee0957ad05159656a7302f0ebd62936ce887d4310d2
Instruction ID: 6e6181d51891e8a5daae1b4013ba2754979215591ffa860df1e5c27c78f5e7f9
Opcode Fuzzy Hash: 8372bc9bbc3ad6769b2c8ee0957ad05159656a7302f0ebd62936ce887d4310d2
Instruction Fuzzy Hash: 5561797120873996DF389A2EBC95BBE2394FF41774F10091AE943DB281DA119EC2C756

Function 00827CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f9489d0d2f45c3309c699b13248532a825e458a37a31377a9649ba190a0c51
Instruction ID: fe9662397fcc906981d4454877d9e5a6c890648a791e954a2955dad32e6eb961
Opcode Fuzzy Hash: 90f9489d0d2f45c3309c699b13248532a825e458a37a31377a9649ba190a0c51
Instruction Fuzzy Hash: 62618D79208739A7DE384A2E7855BBF23C4FF42B04F10095AE843DB2C9DA119DC18766

Function 00821706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 31418f0b74bbe76d3ec6e327b49c6d3b2ed3d0a85fa77dcef992ddffe147e4bd
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 548153726090B34DDF694239957843EFFE1FAA23A132A07AED4F2CA1C5EE1485D4D620

Function 00872046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f507a6a61a244edfa52b0251acaf37e437bb5e82835b88a8e20c428eb640fe99
Instruction ID: f3383d6602bdb2dbc013bef91619bc20d5bbd85abebfd74b4cc0b7edcfe2e6ad
Opcode Fuzzy Hash: f507a6a61a244edfa52b0251acaf37e437bb5e82835b88a8e20c428eb640fe99
Instruction Fuzzy Hash: 7B2184326216118BDB28CE79C81267E73E5F764310F198A2EA4A7C37D0DE35E9048B50

Function 00882ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00882B30
DeleteObject.GDI32(00000000), ref: 00882B43
DestroyWindow.USER32 ref: 00882B52
GetDesktopWindow.USER32 ref: 00882B6D
GetWindowRect.USER32(00000000), ref: 00882B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00882CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00882CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882CF8
GetClientRect.USER32(00000000,?), ref: 00882D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00882D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D80
GlobalLock.KERNEL32(00000000), ref: 00882D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882D98
GlobalUnlock.KERNEL32(00000000), ref: 00882DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882DA8
GlobalFree.KERNEL32(00000000), ref: 00882DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0089FC38,00000000), ref: 00882DDB
GlobalFree.KERNEL32(00000000), ref: 00882DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00882E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00882E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00882E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0088303F

Strings

AutoIt v3, xrefs: 00882CF2
, xrefs: 00882FC5
DISPLAY, xrefs: 00882EA2
static, xrefs: 00882D3A, 00882E91

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 759ff60bee86051f7b1dbc1178079d2c692e43e60a754472b71d1f03bf6a2dc0
Instruction ID: 0efeb370e7bb82030b573728859d116d13b452b1ac4da0d7d8aa1fbacda8a74c
Opcode Fuzzy Hash: 759ff60bee86051f7b1dbc1178079d2c692e43e60a754472b71d1f03bf6a2dc0
Instruction Fuzzy Hash: 87024D71500209AFDB14EFA8CC89EAE7BB9FF48714F048159F915EB2A1DB75AD01CB60

Function 008970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0089712F
GetSysColorBrush.USER32(0000000F), ref: 00897160
GetSysColor.USER32(0000000F), ref: 0089716C
SetBkColor.GDI32(?,000000FF), ref: 00897186
SelectObject.GDI32(?,?), ref: 00897195
InflateRect.USER32(?,000000FF,000000FF), ref: 008971C0
GetSysColor.USER32(00000010), ref: 008971C8
CreateSolidBrush.GDI32(00000000), ref: 008971CF
FrameRect.USER32(?,?,00000000), ref: 008971DE
DeleteObject.GDI32(00000000), ref: 008971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00897230
FillRect.USER32(?,?,?), ref: 00897262
GetWindowLongW.USER32(?,000000F0), ref: 00897284

Part of subcall function 008973E8: GetSysColor.USER32(00000012), ref: 00897421
Part of subcall function 008973E8: SetTextColor.GDI32(?,?), ref: 00897425
Part of subcall function 008973E8: GetSysColorBrush.USER32(0000000F), ref: 0089743B
Part of subcall function 008973E8: GetSysColor.USER32(0000000F), ref: 00897446
Part of subcall function 008973E8: GetSysColor.USER32(00000011), ref: 00897463
Part of subcall function 008973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00897471
Part of subcall function 008973E8: SelectObject.GDI32(?,00000000), ref: 00897482
Part of subcall function 008973E8: SetBkColor.GDI32(?,00000000), ref: 0089748B
Part of subcall function 008973E8: SelectObject.GDI32(?,?), ref: 00897498
Part of subcall function 008973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008974B7
Part of subcall function 008973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008974CE
Part of subcall function 008973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008974DB

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d498cfa95db0f05478bc8f0e479cd1455abb844eec3db795545acaaa5955c913
Instruction ID: 1bfacb28dee2302cc78311a13d0896dbac26f6035b612ac4e170d0c965d92e44
Opcode Fuzzy Hash: d498cfa95db0f05478bc8f0e479cd1455abb844eec3db795545acaaa5955c913
Instruction Fuzzy Hash: 3FA18172018301BFDB11AF64DC48E6B7BA9FF89321F180A1AF962D61E1D772E944CB51

Function 00818D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00818E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00856AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00856AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00856F43

Part of subcall function 00818F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00818BE8,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 00818FC5

SendMessageW.USER32(?,00001053), ref: 00856F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00856F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00856FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00856FB7

Strings

0, xrefs: 00856DCF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: a2605a1888d627d0d3fa63eded44afc78949b07fc1e64a96ae27e08b7d757c2d
Instruction ID: c8723828c72ea84be972382816397a97f63c68380f56675419bdb9946935aca1
Opcode Fuzzy Hash: a2605a1888d627d0d3fa63eded44afc78949b07fc1e64a96ae27e08b7d757c2d
Instruction Fuzzy Hash: C212BE30601201EFDB21DF24D859BA9BBF5FF44312F98456AF885CB261DB32ACA5CB51

Function 00882711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0088273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0088286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00882900
GetClientRect.USER32(00000000,?), ref: 0088290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00882955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00882964
GetStockObject.GDI32(00000011), ref: 00882974
SelectObject.GDI32(00000000,00000000), ref: 00882978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00882988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00882991
DeleteDC.GDI32(00000000), ref: 0088299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00882A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00882A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00882A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00882A77
GetStockObject.GDI32(00000011), ref: 00882A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00882A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00882A97

Strings

msctls_progress32, xrefs: 00882A13
AutoIt v3, xrefs: 008828F8
DISPLAY, xrefs: 0088295A
static, xrefs: 0088294F, 00882A71

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 080bdd810fac39a0f170cded34ac0f8e819665df50fad8eddeabc66952dd53d4
Instruction ID: 97f5872383f7af39ab7b7c723efed8bd6d21b8ff151984cb2b89ec4f852a61fd
Opcode Fuzzy Hash: 080bdd810fac39a0f170cded34ac0f8e819665df50fad8eddeabc66952dd53d4
Instruction Fuzzy Hash: 75B14A71A00215BFEB14EFA8CC49EAA7BA9FB08714F044255F915E72E0D774AD40CBA4

Function 00874ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00874AED
GetDriveTypeW.KERNEL32(?,0089CB68,?,\\.\,0089CC08), ref: 00874BCA
SetErrorMode.KERNEL32(00000000,0089CB68,?,\\.\,0089CC08), ref: 00874D36

Strings

1394, xrefs: 00874C9F
RAMDisk, xrefs: 00874BF4
FileBackedVirtual, xrefs: 00874CEC
SSA, xrefs: 00874CA6
SCSI, xrefs: 00874C8A
ATAPI, xrefs: 00874C91
Fixed, xrefs: 00874C09
Removable, xrefs: 00874C10, 00874C15
USB, xrefs: 00874CB4
iSCSI, xrefs: 00874CC2
Network, xrefs: 00874C02
Unknown, xrefs: 00874BED, 00874C83
SAS, xrefs: 00874CC9
SSD, xrefs: 00874C4A
Fibre, xrefs: 00874CAD
RAID, xrefs: 00874CBB
PhysicalDrive, xrefs: 00874B76
ATA, xrefs: 00874C98
CDROM, xrefs: 00874BFB
\\.\, xrefs: 00874B3F
SATA, xrefs: 00874CD0
Virtual, xrefs: 00874CE5
MMC, xrefs: 00874CDE

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2891da69ddf4779c8375c5c94ae83f257cbcb666d1e66df76dd5b65e9ce76a2e
Instruction ID: be89605a120835088e555044f1552606ad58cf02edc38b85c5eaaad3c68c260a
Opcode Fuzzy Hash: 2891da69ddf4779c8375c5c94ae83f257cbcb666d1e66df76dd5b65e9ce76a2e
Instruction Fuzzy Hash: 2A61A1316051099BCB15DB58C981E6977B0FF84304B24D029F91BEB399EB3ADD519B42

Function 008973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00897421
SetTextColor.GDI32(?,?), ref: 00897425
GetSysColorBrush.USER32(0000000F), ref: 0089743B
GetSysColor.USER32(0000000F), ref: 00897446
CreateSolidBrush.GDI32(?), ref: 0089744B
GetSysColor.USER32(00000011), ref: 00897463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00897471
SelectObject.GDI32(?,00000000), ref: 00897482
SetBkColor.GDI32(?,00000000), ref: 0089748B
SelectObject.GDI32(?,?), ref: 00897498
InflateRect.USER32(?,000000FF,000000FF), ref: 008974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0089752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00897554
InflateRect.USER32(?,000000FD,000000FD), ref: 00897572
DrawFocusRect.USER32(?,?), ref: 0089757D
GetSysColor.USER32(00000011), ref: 0089758E
SetTextColor.GDI32(?,00000000), ref: 00897596
DrawTextW.USER32(?,008970F5,000000FF,?,00000000), ref: 008975A8
SelectObject.GDI32(?,?), ref: 008975BF
DeleteObject.GDI32(?), ref: 008975CA
SelectObject.GDI32(?,?), ref: 008975D0
DeleteObject.GDI32(?), ref: 008975D5
SetTextColor.GDI32(?,?), ref: 008975DB
SetBkColor.GDI32(?,?), ref: 008975E5

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 921b026910db4819121ec3033fce3f6dfa218ad921bf4b19045ebb7da49e99ba
Instruction ID: 693ef475c6a42bb1c55d99772a4317a817d1f004815b6fcba6e6fc189e8cfc18
Opcode Fuzzy Hash: 921b026910db4819121ec3033fce3f6dfa218ad921bf4b19045ebb7da49e99ba
Instruction Fuzzy Hash: 53613C72904218AFDF01AFA4DC49AEEBFB9FF09320F194116F915AB2A1D7759940CB90

Function 00890FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00891128
GetDesktopWindow.USER32 ref: 0089113D
GetWindowRect.USER32(00000000), ref: 00891144
GetWindowLongW.USER32(?,000000F0), ref: 00891199
DestroyWindow.USER32(?), ref: 008911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0089120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0089121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00891232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00891245
IsWindowVisible.USER32(00000000), ref: 008912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008912D0
GetWindowRect.USER32(00000000,?), ref: 008912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0089130E
GetMonitorInfoW.USER32(00000000,?), ref: 00891328
CopyRect.USER32(?,?), ref: 0089133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008913AA

Strings

tooltips_class32, xrefs: 008911E6
0, xrefs: 008910D3
(, xrefs: 0089131B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2bcb730d31e36b520ecd0db4718d810333668a19c1bb3b1725432abec43f769c
Instruction ID: d0ea2478c45570211dc91fff9dd29580110e8a7b9aa57e5328e86f5fea558c2b
Opcode Fuzzy Hash: 2bcb730d31e36b520ecd0db4718d810333668a19c1bb3b1725432abec43f769c
Instruction Fuzzy Hash: 78B16D71608341AFDB54EF64C888B5ABBE4FF84354F04891DF999DB2A1C771E844CB52

Function 00890241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008902E5
_wcslen.LIBCMT ref: 0089031F
_wcslen.LIBCMT ref: 00890389
_wcslen.LIBCMT ref: 008903F1
_wcslen.LIBCMT ref: 00890475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00890504

Part of subcall function 0081F9F2: _wcslen.LIBCMT ref: 0081F9FD

Part of subcall function 0086223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00862258
Part of subcall function 0086223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0086228A

Strings

SELECT, xrefs: 00890548
GETSELECTED, xrefs: 008905E1
GETSELECTEDCOUNT, xrefs: 00890470, 0089048B
DESELECT, xrefs: 0089059C
SELECTINVERT, xrefs: 0089057E
SELECTCLEAR, xrefs: 0089052D
SELECTALL, xrefs: 00890515
GETITEMCOUNT, xrefs: 00890316, 00890337
VIEWCHANGE, xrefs: 00890675
GETSUBITEMCOUNT, xrefs: 00890384, 0089039F
ISSELECTED, xrefs: 008904DD
GETTEXT, xrefs: 008903EC, 00890407
FINDITEM, xrefs: 00890627

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 523df677df6c49ab1f203e6289078ef76dc4c1befb1a097602b55b4175817646
Instruction ID: 17b5fa65400a9da6d8e9fe42579188093eba16be00bfcd1142274657cb340b18
Opcode Fuzzy Hash: 523df677df6c49ab1f203e6289078ef76dc4c1befb1a097602b55b4175817646
Instruction Fuzzy Hash: 6CE18E312082018FCB14EF28C95192AB7E6FF98718B18455CF996EB3A2DB30ED45CF52

Function 00818891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00818968
GetSystemMetrics.USER32(00000007), ref: 00818970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0081899B
GetSystemMetrics.USER32(00000008), ref: 008189A3
GetSystemMetrics.USER32(00000004), ref: 008189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00818A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00818A3C
GetClientRect.USER32(00000000,000000FF), ref: 00818A5A
GetStockObject.GDI32(00000011), ref: 00818A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00818A81

Part of subcall function 0081912D: GetCursorPos.USER32(?), ref: 00819141
Part of subcall function 0081912D: ScreenToClient.USER32(00000000,?), ref: 0081915E
Part of subcall function 0081912D: GetAsyncKeyState.USER32(00000001), ref: 00819183
Part of subcall function 0081912D: GetAsyncKeyState.USER32(00000002), ref: 0081919D

SetTimer.USER32(00000000,00000000,00000028,008190FC), ref: 00818AA8

Strings

AutoIt v3 GUI, xrefs: 00818A20

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 144e58035851ce1a58e046cbb14b0139869788d0e851d425b37f812cda5d2b86
Instruction ID: 3b4307b18aca6e21786110c0c63441bab0cfce80da2ef153490823a7271daa0c
Opcode Fuzzy Hash: 144e58035851ce1a58e046cbb14b0139869788d0e851d425b37f812cda5d2b86
Instruction Fuzzy Hash: 36B15871A00209EFDF14DFA8CC59BAA7BB5FF48315F14422AFA15E7290DB34A880CB51

Function 00860D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00861114
Part of subcall function 008610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861120
Part of subcall function 008610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 0086112F
Part of subcall function 008610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861136
Part of subcall function 008610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00860DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00860E29
GetLengthSid.ADVAPI32(?), ref: 00860E40
GetAce.ADVAPI32(?,00000000,?), ref: 00860E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00860E96
GetLengthSid.ADVAPI32(?), ref: 00860EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00860EB5
HeapAlloc.KERNEL32(00000000), ref: 00860EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00860EDD
CopySid.ADVAPI32(00000000), ref: 00860EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00860F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00860F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00860F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860F6E
HeapFree.KERNEL32(00000000), ref: 00860F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860F7E
HeapFree.KERNEL32(00000000), ref: 00860F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00860F8E
HeapFree.KERNEL32(00000000), ref: 00860F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00860FA1
HeapFree.KERNEL32(00000000), ref: 00860FA8

Part of subcall function 00861193: GetProcessHeap.KERNEL32(00000008,00860BB1,?,00000000,?,00860BB1,?), ref: 008611A1
Part of subcall function 00861193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00860BB1,?), ref: 008611A8
Part of subcall function 00861193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00860BB1,?), ref: 008611B7

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a0d8ed07afc8ad1d1564c3d692eb22a8a74785dec7de7144761154749efa27f5
Instruction ID: 5473a9a354ecfa4d604ee2022329a7b2342259ce0056a85d89b8f097315104df
Opcode Fuzzy Hash: a0d8ed07afc8ad1d1564c3d692eb22a8a74785dec7de7144761154749efa27f5
Instruction Fuzzy Hash: 6871597290021AAFDF219FA4DC48BAFBBB8FF15300F094116F959E6191DB329A05CF64

Function 0088C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0089CC08,00000000,?,00000000,?,?), ref: 0088C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0088C5A4
_wcslen.LIBCMT ref: 0088C5F4
_wcslen.LIBCMT ref: 0088C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0088C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0088C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0088C84D
RegCloseKey.ADVAPI32(?), ref: 0088C881
RegCloseKey.ADVAPI32(00000000), ref: 0088C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0088C960

Strings

REG_MULTI_SZ, xrefs: 0088C6F5
REG_QWORD, xrefs: 0088C8C3
REG_EXPAND_SZ, xrefs: 0088C5CD
REG_DWORD, xrefs: 0088C804
REG_SZ, xrefs: 0088C644
REG_BINARY, xrefs: 0088C913

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8e8c54cac9c8e066eef182ad29d5847e5c6f85986c57f5f79caa6af6301cd8f9
Instruction ID: ce8c25dafa511c8a141927fd0511b03a39359e0a3bb651c6b667e08a4444be5e
Opcode Fuzzy Hash: 8e8c54cac9c8e066eef182ad29d5847e5c6f85986c57f5f79caa6af6301cd8f9
Instruction Fuzzy Hash: 6C1236356042019FDB54EF18C891A2AB7E5FF88714F14885DF89ADB3A2DB31ED41CB92

Function 0089091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008909C6
_wcslen.LIBCMT ref: 00890A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00890A54
_wcslen.LIBCMT ref: 00890A8A
_wcslen.LIBCMT ref: 00890B06
_wcslen.LIBCMT ref: 00890B81

Part of subcall function 0081F9F2: _wcslen.LIBCMT ref: 0081F9FD

Part of subcall function 00862BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00862BFA

Strings

UNCHECK, xrefs: 00890D3E
SELECT, xrefs: 00890D11
EXISTS, xrefs: 00890B7C, 00890B97
GETITEMCOUNT, xrefs: 00890C1E
CHECK, xrefs: 00890A85, 00890AA0
GETSELECTED, xrefs: 00890C4E
EXPAND, xrefs: 00890BF8
COLLAPSE, xrefs: 00890B01, 00890B1C
GETTEXT, xrefs: 00890C97
GETTOTALCOUNT, xrefs: 008909F2, 00890A17
ISCHECKED, xrefs: 00890CE1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 31ea3500dcaa3bd9c0181c644f979b8422167b7598f640892deb83309dc03812
Instruction ID: 40519726c10d0a51a22403254c0800f73cd8f5e68df5c0ee990b43e609a1e733
Opcode Fuzzy Hash: 31ea3500dcaa3bd9c0181c644f979b8422167b7598f640892deb83309dc03812
Instruction Fuzzy Hash: 44E15A316087118FCB14EF28C85096AB7E1FF98358B19495DF896DB3A2DB31ED45CB82

Function 0088C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
_wcslen.LIBCMT ref: 0088C9F1
_wcslen.LIBCMT ref: 0088CA68
_wcslen.LIBCMT ref: 0088CA9E
_wcslen.LIBCMT ref: 0088CAF9
_wcslen.LIBCMT ref: 0088CB2F
_wcslen.LIBCMT ref: 0088CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0088CA62, 0088CA67
HKU, xrefs: 0088CBF0
HKEY_CLASSES_ROOT, xrefs: 0088CAF3, 0088CAF8
HKCU, xrefs: 0088CBCE
HKEY_USERS, xrefs: 0088CBDF
HKEY_CURRENT_CONFIG, xrefs: 0088CB79, 0088CB7E
HKEY_CURRENT_USER, xrefs: 0088CBBD
HKCC, xrefs: 0088CBAC
HKLM, xrefs: 0088CA98, 0088CA9D
HKCR, xrefs: 0088CB29, 0088CB2E

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: d6211695ec774bf6cd3deaaff39424c5c7430a5312a903ee436c65c5ca2b283f
Instruction ID: d1d7969ba2f62216f80d46bce29facf585d0f36b240a5e661b31f06f5739686f
Opcode Fuzzy Hash: d6211695ec774bf6cd3deaaff39424c5c7430a5312a903ee436c65c5ca2b283f
Instruction Fuzzy Hash: 0071F47260052A8BCB24FE7CDD41ABA37A5FF60764F150129F866D7289E631CD8487B1

Function 0089833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0089835A
_wcslen.LIBCMT ref: 0089836E
_wcslen.LIBCMT ref: 00898391
_wcslen.LIBCMT ref: 008983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00895BF2), ref: 0089844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00898487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00898501
FreeLibrary.KERNEL32(?), ref: 0089850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0089851D
DestroyIcon.USER32(?,?,?,?,?,00895BF2), ref: 0089852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00898549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00898555

Strings

.exe, xrefs: 00898388
.dll, xrefs: 008983AB
.icl, xrefs: 00898368

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 4d5dbb132795d32da71471327c9a6ce5a4c688b9fe133244ae5c904fdf646475
Instruction ID: 2141d01e28813f320948b7f6632105493c4b74771da5e0f20ceaf5a0a14dbb82
Opcode Fuzzy Hash: 4d5dbb132795d32da71471327c9a6ce5a4c688b9fe133244ae5c904fdf646475
Instruction Fuzzy Hash: 4561AE7154021AFAEF14EF68DC41BBE7BA8FF09B21F14460AF815D61D1DB75A980CBA0

Function 00807778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00807817
#comments-end, xrefs: 008078D9
", xrefs: 00845153
#requireadmin, xrefs: 008077FF
Bad directive syntax error, xrefs: 0084519A
#pragma compile, xrefs: 008077D3
#ce, xrefs: 008078ED
', xrefs: 00845169
#comments-start, xrefs: 0080785F, 008078B1
#notrayicon, xrefs: 008077E7
Unterminated group of comments, xrefs: 0084528C
#include, xrefs: 00807847
#cs, xrefs: 00807873, 008078C5
Cannot parse #include, xrefs: 00845279
#include-once, xrefs: 0080782F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d2d556dfb9e3ff3c7d996311eed2676149939f2a667277f24f7155e0444c39f9
Instruction ID: 37ac5f17df21e7dee2b0b7dc1e2819e892f61cbf5fee66f725e636109cde4eec
Opcode Fuzzy Hash: d2d556dfb9e3ff3c7d996311eed2676149939f2a667277f24f7155e0444c39f9
Instruction Fuzzy Hash: 3B81D371A04219BBEF60AF64DC42FAE37A8FF55340F044025F905EA2D3EB74E951C6A2

Function 00873E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00873EF8
_wcslen.LIBCMT ref: 00873F03
_wcslen.LIBCMT ref: 00873F5A
_wcslen.LIBCMT ref: 00873F98
GetDriveTypeW.KERNEL32(?), ref: 00873FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0087401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00874059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00874087

Strings

open, xrefs: 00873F54, 00873F59
type cdaudio alias cd wait, xrefs: 00874001
close cd wait, xrefs: 00874072
closed, xrefs: 00873F08, 00873F2D, 00873F46, 00873F7E, 00873F97
set cd door , xrefs: 00874028
close, xrefs: 00873EFE, 00873F18
wait, xrefs: 00874044
open , xrefs: 00873FE5

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 98335b6b2134726332104aae321af93030d433f281c751d39b350e04fec719ec
Instruction ID: c6281f06e39eeef0fc494adf442dc8a0a29acb464f6e4a9d309902cded971eae
Opcode Fuzzy Hash: 98335b6b2134726332104aae321af93030d433f281c751d39b350e04fec719ec
Instruction Fuzzy Hash: B871E1716042119FC350EF28C88096AB7F4FF94768F10892DF999D3295EB31ED49CB92

Function 00865A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00865A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00865A40
SetWindowTextW.USER32(?,?), ref: 00865A57
GetDlgItem.USER32(?,000003EA), ref: 00865A6C
SetWindowTextW.USER32(00000000,?), ref: 00865A72
GetDlgItem.USER32(?,000003E9), ref: 00865A82
SetWindowTextW.USER32(00000000,?), ref: 00865A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00865AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00865AC3
GetWindowRect.USER32(?,?), ref: 00865ACC
_wcslen.LIBCMT ref: 00865B33
SetWindowTextW.USER32(?,?), ref: 00865B6F
GetDesktopWindow.USER32 ref: 00865B75
GetWindowRect.USER32(00000000), ref: 00865B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00865BD3
GetClientRect.USER32(?,?), ref: 00865BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00865C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00865C2F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: c9134bad3299a55b6c24c011f9ea48a14b5803d126d8830eb9be52b93c1a86fe
Instruction ID: 109a23167fe3a0bc4c23524f5c6d92020c59c464533694105a4863df38c9a7e2
Opcode Fuzzy Hash: c9134bad3299a55b6c24c011f9ea48a14b5803d126d8830eb9be52b93c1a86fe
Instruction Fuzzy Hash: 5D718E31900B09AFDB20EFA8CE85BAEBBF5FF48714F154919E182E25A0D775E944CB10

Function 0087FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0087FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0087FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0087FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0087FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0087FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0087FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0087FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0087FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0087FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0087FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0087FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0087FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0087FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0087FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0087FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0087FECC
GetCursorInfo.USER32(?), ref: 0087FEDC
GetLastError.KERNEL32 ref: 0087FF1E

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6273365dfd01e9070019b40783e1ac6ef16e6b7e2667b282ef0c4ab57ffc622a
Instruction ID: 8f0340740b281c5a356536ef1011a807e8580efbdd2c90d42129aa329476728a
Opcode Fuzzy Hash: 6273365dfd01e9070019b40783e1ac6ef16e6b7e2667b282ef0c4ab57ffc622a
Instruction Fuzzy Hash: A84121B0D083196ADB109FBA8C8985EBFE8FF04754B54852AE11DE7281DF78E9018E91

Function 008200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008200C6

Part of subcall function 008200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008D070C,00000FA0,D9AFB2DF,?,?,?,?,008423B3,000000FF), ref: 0082011C
Part of subcall function 008200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008423B3,000000FF), ref: 00820127
Part of subcall function 008200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008423B3,000000FF), ref: 00820138
Part of subcall function 008200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0082014E
Part of subcall function 008200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0082015C
Part of subcall function 008200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0082016A
Part of subcall function 008200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00820195
Part of subcall function 008200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008201A0

___scrt_fastfail.LIBCMT ref: 008200E7

Part of subcall function 008200A3: __onexit.LIBCMT ref: 008200A9

Strings

kernel32.dll, xrefs: 00820133
InitializeConditionVariable, xrefs: 00820148
SleepConditionVariableCS, xrefs: 00820154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00820122
WakeAllConditionVariable, xrefs: 00820162

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b2c200cf53b4e93f977425a033c5bd93446bde37b4c2e6e3f2b8add24f157ca1
Instruction ID: ee02a40eae320e7e21b968be53b294a62605296c7ed2d00795b99035fa57c382
Opcode Fuzzy Hash: b2c200cf53b4e93f977425a033c5bd93446bde37b4c2e6e3f2b8add24f157ca1
Instruction Fuzzy Hash: B8212632645720ABEB107B78BC06B6E37E8FB44B51F08013BF911E6393DB7598408E95

Function 008630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0086318D
_wcslen.LIBCMT ref: 008631F8

Strings

CLASS, xrefs: 00863188, 008631A5
CLASSNN, xrefs: 008631F3, 00863204
INSTANCE, xrefs: 00863453
REGEXPCLASS, xrefs: 00863255, 00863266
TEXT, xrefs: 0086347C
NAME, xrefs: 00863335, 00863346

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 95c1318ce9761581e0dcd1af4e47b3baf5eff3b144edab72af3acab7d778d937
Instruction ID: 925e5f49a8951793f61a27a468fa918f78d8a39077ba9f931010bb3df10bc510
Opcode Fuzzy Hash: 95c1318ce9761581e0dcd1af4e47b3baf5eff3b144edab72af3acab7d778d937
Instruction Fuzzy Hash: 9AE1B532A00526ABCF189FA8C851BEEFBB4FF54714F568129E556F7240DF30AE858790

Function 008744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0089CC08), ref: 00874527
_wcslen.LIBCMT ref: 0087453B
_wcslen.LIBCMT ref: 00874599
_wcslen.LIBCMT ref: 008745F4
_wcslen.LIBCMT ref: 0087463F
_wcslen.LIBCMT ref: 008746A7

Part of subcall function 0081F9F2: _wcslen.LIBCMT ref: 0081F9FD

GetDriveTypeW.KERNEL32(?,008C6BF0,00000061), ref: 00874743

Strings

ramdisk, xrefs: 008746F1
unknown, xrefs: 00874708
removable, xrefs: 008745EA, 008745EF
all, xrefs: 00874531, 00874536
cdrom, xrefs: 0087458F, 00874594
fixed, xrefs: 00874635, 0087463A
network, xrefs: 0087469D, 008746A2

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e08ddfa817e035bd164039f763ce7f2ada720ed211e832c108e74b039e934be0
Instruction ID: 462459c6b0c83bacbbf12a692831951683585cc679de46cc7248dbaffae3e207
Opcode Fuzzy Hash: e08ddfa817e035bd164039f763ce7f2ada720ed211e832c108e74b039e934be0
Instruction Fuzzy Hash: A3B103316083029FC714DF28C890A6AB7E5FFA5764F50992DF5AAC7295E730DC84CB62

Function 00883FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0089CC08), ref: 008840BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008840CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0089CC08), ref: 008840F2
FreeLibrary.KERNEL32(00000000,?,0089CC08), ref: 0088413E
StringFromGUID2.OLE32(?,?,00000028,?,0089CC08), ref: 008841A8
SysFreeString.OLEAUT32(00000009), ref: 00884262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008842C8
SysFreeString.OLEAUT32(?), ref: 008842F2

Strings

GetModuleHandleExW, xrefs: 008840C7
kernel32.dll, xrefs: 008840B6

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 2d9371aeccbabd487b2ff9fa44d388e5bef1eeef8531fce3b387093cde4c62b3
Instruction ID: 2bfd558ee899ccec3dde2444af7122eb6126ad379b1da8311ee07ee09d9c0eaf
Opcode Fuzzy Hash: 2d9371aeccbabd487b2ff9fa44d388e5bef1eeef8531fce3b387093cde4c62b3
Instruction Fuzzy Hash: 1B122C76A0021AEFDB14EF94C884EAEB7B5FF45318F248099E905DB251D731ED46CBA0

Function 0080326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008D1990), ref: 00842F8D
GetMenuItemCount.USER32(008D1990), ref: 0084303D
GetCursorPos.USER32(?), ref: 00843081
SetForegroundWindow.USER32(00000000), ref: 0084308A
TrackPopupMenuEx.USER32(008D1990,00000000,?,00000000,00000000,00000000), ref: 0084309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008430A9

Strings

0, xrefs: 0080327D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 36a16d31c453c5152feed14cfcbe0a280967e6dce5506fbf6658e6b054db094c
Instruction ID: 52c28e49a0ca4663a9239b3bbb4c7c457b4cb36948e707227993e4ddf887375b
Opcode Fuzzy Hash: 36a16d31c453c5152feed14cfcbe0a280967e6dce5506fbf6658e6b054db094c
Instruction Fuzzy Hash: 47711931644209BFEB319F68CC49F9ABF68FF05328F244216F515E61E1CBB1A954C751

Function 00896CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00896DEB

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00896E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00896E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00896E94
DestroyWindow.USER32(?), ref: 00896EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00800000,00000000), ref: 00896EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00896EFD
GetDesktopWindow.USER32 ref: 00896F16
GetWindowRect.USER32(00000000), ref: 00896F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00896F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00896F4D

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

Strings

0, xrefs: 00896D98
tooltips_class32, xrefs: 00896E58, 00896EDD

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b2ced47ff00f2f5499473e78945317594730004c33d748501c669991b732b23d
Instruction ID: de814fc3fae047822db391490ed192e9f792dd8befb06fb0952c9ef27fe3f63b
Opcode Fuzzy Hash: b2ced47ff00f2f5499473e78945317594730004c33d748501c669991b732b23d
Instruction Fuzzy Hash: 73716670104244AFDB21EF18DC58FBABBE9FB89304F58051EF999C7261EB71A915CB12

Function 0089911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

DragQueryPoint.SHELL32(?,?), ref: 00899147

Part of subcall function 00897674: ClientToScreen.USER32(?,?), ref: 0089769A
Part of subcall function 00897674: GetWindowRect.USER32(?,?), ref: 00897710
Part of subcall function 00897674: PtInRect.USER32(?,?,00898B89), ref: 00897720

SendMessageW.USER32(?,000000B0,?,?), ref: 008991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00899225
SendMessageW.USER32(?,000000B0,?,?), ref: 0089923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00899255
SendMessageW.USER32(?,000000B1,?,?), ref: 00899277
DragFinish.SHELL32(?), ref: 0089927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00899371

Strings

@GUI_DROPID, xrefs: 0089929E
@GUI_DRAGID, xrefs: 008992E9
@GUI_DRAGFILE, xrefs: 00899320

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: ec73f74f0af8d5bb6ff81c8e446c48e044e417af114f66b45b08c781c22d2c7f
Instruction ID: 794f3e3ad6d09faff25b5ad4586b736b80da2d2706af1fa0ce9e6f884312e2c2
Opcode Fuzzy Hash: ec73f74f0af8d5bb6ff81c8e446c48e044e417af114f66b45b08c781c22d2c7f
Instruction Fuzzy Hash: 79617B71108301AFD741EF98DC85DABBBE8FF85350F440A2EF595922A1DB309A48CB52

Function 0087C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0087C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0087C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0087C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0087C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0087C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0087C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0087C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0087C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0087C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0087C5F0
InternetCloseHandle.WININET(00000000), ref: 0087C5FB

Strings

, xrefs: 0087C575

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 030c2fa9740c24a4b6d3593bd4074954991f0382c3f6c32aab284c139264995d
Instruction ID: 5e1059ffb22c01fb929398ffbee3af20cea8d453ab6fa2dcbb01c60d3c78caab
Opcode Fuzzy Hash: 030c2fa9740c24a4b6d3593bd4074954991f0382c3f6c32aab284c139264995d
Instruction Fuzzy Hash: 1B516CB1500608BFDB219FA4C988AAB7BBCFF08744F04851EF949D7214DB32E9449B60

Function 0089856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00898592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008985BA
GlobalLock.KERNEL32(00000000), ref: 008985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008985D7
GlobalUnlock.KERNEL32(00000000), ref: 008985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0089FC38,?), ref: 00898611
GlobalFree.KERNEL32(00000000), ref: 00898621
GetObjectW.GDI32(?,00000018,?), ref: 00898641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00898671
DeleteObject.GDI32(?), ref: 00898699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008986AF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 86bb0b89ab8ca02b95b5db45598aa7fcd946384975c541a8b8030d8bbdd77e08
Instruction ID: 84d778358dbc2d483b3f906bdcdf22be15b9e7f1d867a83db25ede633e0d3f4e
Opcode Fuzzy Hash: 86bb0b89ab8ca02b95b5db45598aa7fcd946384975c541a8b8030d8bbdd77e08
Instruction Fuzzy Hash: E8413A75600209EFDB11EFA5CC48EAA7BB8FF99715F184059F90AEB260DB319D01DB20

Function 008714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00871502
VariantCopy.OLEAUT32(?,?), ref: 0087150B
VariantClear.OLEAUT32(?), ref: 00871517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00871657
VariantInit.OLEAUT32(?), ref: 00871708
SysFreeString.OLEAUT32(?), ref: 0087178C
VariantClear.OLEAUT32(?), ref: 008717D8
VariantClear.OLEAUT32(?), ref: 008717E7
VariantInit.OLEAUT32(00000000), ref: 00871823

Strings

Default, xrefs: 008716AF
%4d%02d%02d%02d%02d%02d, xrefs: 00871625

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 71b7c4f45e72fb5507e544da3fa62acdcbfcd85b43a672baf6d96b4ba1a74b7b
Instruction ID: 032351a9b1d3aeaef3166506c82411b05e5c7a03b134ad18d5ccb481831cf028
Opcode Fuzzy Hash: 71b7c4f45e72fb5507e544da3fa62acdcbfcd85b43a672baf6d96b4ba1a74b7b
Instruction Fuzzy Hash: B6D1E071A00109DBDF18AF68E889BB9B7B5FF44708F148056E40EEB989DB30D841DB52

Function 0088B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0088B80A
RegCloseKey.ADVAPI32(?), ref: 0088B87E
RegCloseKey.ADVAPI32(?), ref: 0088B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0088B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0088B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0088B922
FreeLibrary.KERNEL32(00000000), ref: 0088B983
RegCloseKey.ADVAPI32(00000000), ref: 0088B994

Strings

advapi32.dll, xrefs: 0088B8ED
RegDeleteKeyExW, xrefs: 0088B8FE

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5a01248e919bd9d3ebb4c22580ecfb8a70911333571bc40c2d9dd082399cb271
Instruction ID: 67b451c823f4249186405a1e417416154ccc6e8c477bb13e4e751eb94317fabd
Opcode Fuzzy Hash: 5a01248e919bd9d3ebb4c22580ecfb8a70911333571bc40c2d9dd082399cb271
Instruction Fuzzy Hash: 9EC16D30204241AFD714EF18C895F2ABBE5FF84318F18855CE59A8B3A2DB75ED45CB92

Function 0088255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008825E8
CreateCompatibleDC.GDI32(?), ref: 008825F4
SelectObject.GDI32(00000000,?), ref: 00882601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0088266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008826D0
SelectObject.GDI32(?,?), ref: 008826D8
DeleteObject.GDI32(?), ref: 008826E1
DeleteDC.GDI32(?), ref: 008826E8
ReleaseDC.USER32(00000000,?), ref: 008826F3

Strings

(, xrefs: 0088268D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 25b82018ab23f4afc7375316132f4f0cb21a2615eeaa90e47e5e125aa5f7c730
Instruction ID: ff96da17be8633ecac368d169e118a7abdc7810cbd87dbf08c51c08b23886f2d
Opcode Fuzzy Hash: 25b82018ab23f4afc7375316132f4f0cb21a2615eeaa90e47e5e125aa5f7c730
Instruction Fuzzy Hash: 0F610275D00219EFCF04DFA8D884AAEBBB5FF48310F24852AE955E7250E771A941CFA4

Function 0083DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0083DAA1

Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D659
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D66B
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D67D
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D68F
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6A1
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6B3
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6C5
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6D7
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6E9
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D6FB
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D70D
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D71F
Part of subcall function 0083D63C: _free.LIBCMT ref: 0083D731

_free.LIBCMT ref: 0083DA96

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 0083DAB8
_free.LIBCMT ref: 0083DACD
_free.LIBCMT ref: 0083DAD8
_free.LIBCMT ref: 0083DAFA
_free.LIBCMT ref: 0083DB0D
_free.LIBCMT ref: 0083DB1B
_free.LIBCMT ref: 0083DB26
_free.LIBCMT ref: 0083DB5E
_free.LIBCMT ref: 0083DB65
_free.LIBCMT ref: 0083DB82
_free.LIBCMT ref: 0083DB9A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6779cc06841062628852ef6f57858f6b1a37cf065ed595664b48cd3d3855f048
Instruction ID: 27a6b11f451bb8797bee742b8dbd00be9e0e48a942c01041571aff32d63235c2
Opcode Fuzzy Hash: 6779cc06841062628852ef6f57858f6b1a37cf065ed595664b48cd3d3855f048
Instruction Fuzzy Hash: 253149326043159FEB22AA39F845F5ABBE9FF80320F154469F859D7191DF71EC808BA1

Function 0086365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0086369C
_wcslen.LIBCMT ref: 008636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00863797
GetClassNameW.USER32(?,?,00000400), ref: 0086380C
GetDlgCtrlID.USER32(?), ref: 0086385D
GetWindowRect.USER32(?,?), ref: 00863882
GetParent.USER32(?), ref: 008638A0
ScreenToClient.USER32(00000000), ref: 008638A7
GetClassNameW.USER32(?,?,00000100), ref: 00863921
GetWindowTextW.USER32(?,?,00000400), ref: 0086395D

Strings

%s%u, xrefs: 00863734

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 105947b2869c21a538501dafc96dfc89b44dc17c64adeb55b6e393bccd2d4744
Instruction ID: 9d4192264b17caebacc7e218fa4915fb31b1d28c9a0826e632896bd30af24772
Opcode Fuzzy Hash: 105947b2869c21a538501dafc96dfc89b44dc17c64adeb55b6e393bccd2d4744
Instruction Fuzzy Hash: 0A91C171204706AFD719DF24C885FEAFBA9FF44350F018629F99AC2190EB30EA55CB91

Function 00864954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00864994
GetWindowTextW.USER32(?,?,00000400), ref: 008649DA
_wcslen.LIBCMT ref: 008649EB
CharUpperBuffW.USER32(?,00000000), ref: 008649F7
_wcsstr.LIBVCRUNTIME ref: 00864A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00864A64
GetWindowTextW.USER32(?,?,00000400), ref: 00864A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00864AE6
GetClassNameW.USER32(?,?,00000400), ref: 00864B20
GetWindowRect.USER32(?,?), ref: 00864B8B

Strings

ThumbnailClass, xrefs: 00864A6F, 00864AF1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: daf0bbf3c7e87736f8a0cced7e734e4a1887cd3737dac197017497c07b9101ff
Instruction ID: 8a0d7d8310b816bfb16798764ccefe87aa962b97ef45d08209e2bcaa453d8efa
Opcode Fuzzy Hash: daf0bbf3c7e87736f8a0cced7e734e4a1887cd3737dac197017497c07b9101ff
Instruction Fuzzy Hash: 6591DB31004209AFDB05DF54D881BAE7BE8FF84314F05946AFD85DA196EB30ED45CBA2

Function 00898D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00898D5A
GetFocus.USER32 ref: 00898D6A
GetDlgCtrlID.USER32(00000000), ref: 00898D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00898E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00898ECF
GetMenuItemCount.USER32(?), ref: 00898EEC
GetMenuItemID.USER32(?,00000000), ref: 00898EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00898F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00898F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00898FA1

Strings

0, xrefs: 00898E9F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 7bf3927939974e9211891ced9c09f6a0cc131adcb7c741addab804bd5ea1bf6a
Instruction ID: 4f4ddfdb1811c4279dfde3957ed2a049a7f270462d00de96579c6bde2b24e057
Opcode Fuzzy Hash: 7bf3927939974e9211891ced9c09f6a0cc131adcb7c741addab804bd5ea1bf6a
Instruction Fuzzy Hash: DA817C71508306EBDB11EF24D884AAB7BE9FB8A754F18091EF985D7291DB31D900CB62

Function 0086BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(008D1990,000000FF,00000000,00000030), ref: 0086BFAC
SetMenuItemInfoW.USER32(008D1990,00000004,00000000,00000030), ref: 0086BFE1
Sleep.KERNEL32(000001F4), ref: 0086BFF3
GetMenuItemCount.USER32(?), ref: 0086C039
GetMenuItemID.USER32(?,00000000), ref: 0086C056
GetMenuItemID.USER32(?,-00000001), ref: 0086C082
GetMenuItemID.USER32(?,?), ref: 0086C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0086C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0086C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0086C145

Strings

0, xrefs: 0086BF3D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 9f63d43de07f5142514f0f987b7d96c7bcca9748e21af52bfad587820f035047
Instruction ID: c10266f42871e4dd2f392362a9c5e420a34c483e0467134b1204e1ecfe23ca39
Opcode Fuzzy Hash: 9f63d43de07f5142514f0f987b7d96c7bcca9748e21af52bfad587820f035047
Instruction Fuzzy Hash: C26180B090024AAFDF11DF68CD88ABEBBB8FB05348F064156E891E3291C735AD44CB61

Function 0086DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0086DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0086DC46
_wcslen.LIBCMT ref: 0086DC50
_wcsstr.LIBVCRUNTIME ref: 0086DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0086DCBC

Strings

04090000, xrefs: 0086DCF2
\VarFileInfo\Translation, xrefs: 0086DCB4
StringFileInfo\, xrefs: 0086DC8F
%u.%u.%u.%u, xrefs: 0086DD9A
DefaultLangCodepage, xrefs: 0086DD1F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3636d57d083a7200d4d6b68d40f0f14511d60f1f04d9946a1f33be489c02e877
Instruction ID: 7a77f38277690808c02a1fc0ea27be413b7245f1377e566194fb4585017af922
Opcode Fuzzy Hash: 3636d57d083a7200d4d6b68d40f0f14511d60f1f04d9946a1f33be489c02e877
Instruction Fuzzy Hash: 5541F232A403147BDB10B769AC43EFF77ACFF45720F14006AF904E6282EA75994186A6

Function 0088CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0088CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0088CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0088CD48

Part of subcall function 0088CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0088CCAA
Part of subcall function 0088CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0088CCBD
Part of subcall function 0088CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0088CCCF
Part of subcall function 0088CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0088CD05
Part of subcall function 0088CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0088CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0088CCF3

Strings

advapi32.dll, xrefs: 0088CCB8
RegDeleteKeyExW, xrefs: 0088CCC9

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: a27e03964fc085116183840cf0e9d0f333f9fb5d8b051885d25965b41e9036e7
Instruction ID: cdf7434531aad7afc54b7d9dc884f9cf8f2eec9b57ea624612bb260de19bdc5e
Opcode Fuzzy Hash: a27e03964fc085116183840cf0e9d0f333f9fb5d8b051885d25965b41e9036e7
Instruction Fuzzy Hash: B5318C71A01129BBDB20AB65DC88EFFBB7CFF05740F040166B906E3244DA349A45DBB0

Function 00873D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00873D40
_wcslen.LIBCMT ref: 00873D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00873D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00873DBE
RemoveDirectoryW.KERNEL32(?), ref: 00873DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00873E55
CloseHandle.KERNEL32(00000000), ref: 00873E60
CloseHandle.KERNEL32(00000000), ref: 00873E6B

Strings

\??\%s, xrefs: 00873D5B
\, xrefs: 00873D77
:, xrefs: 00873D82

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 7e67fe8118dab5eafb8c7a19926ab50c97abd71c1d2ccdcaaebe0147342fe79d
Instruction ID: f4a5a1130ac0ac9737e9a8cbe087ea6e7237b9445e52c156aa05f30c17f12391
Opcode Fuzzy Hash: 7e67fe8118dab5eafb8c7a19926ab50c97abd71c1d2ccdcaaebe0147342fe79d
Instruction Fuzzy Hash: 2031C371904219ABDB209BA4DC49FEB3BBCFF88700F1040B6F509D2164E770D7849B25

Function 0086E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0086E6B4

Part of subcall function 0081E551: timeGetTime.WINMM(?,?,0086E6D4), ref: 0081E555

Sleep.KERNEL32(0000000A), ref: 0086E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0086E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0086E727
SetActiveWindow.USER32 ref: 0086E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0086E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0086E773
Sleep.KERNEL32(000000FA), ref: 0086E77E
IsWindow.USER32 ref: 0086E78A
EndDialog.USER32(00000000), ref: 0086E79B

Strings

BUTTON, xrefs: 0086E719

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f381fa25aa7e49d5fa49b6dd9fee4e607e07a5794a1c6f9eee300d054baf313e
Instruction ID: be7a2b4f63e5e5bbf91693c193fc79bc814c7211f1b7135e42ce45b94071f2df
Opcode Fuzzy Hash: f381fa25aa7e49d5fa49b6dd9fee4e607e07a5794a1c6f9eee300d054baf313e
Instruction Fuzzy Hash: 7B218EB5201304AFEB12AFA4EC89E263B69FB74749F150526F412C22A1DB72AC04DB25

Function 0086E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0086EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0086EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0086EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0086EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0086EAA7

Strings

play PlayMe, xrefs: 0086EAA2
play PlayMe wait, xrefs: 0086EA91
status PlayMe mode, xrefs: 0086EA58
alias PlayMe, xrefs: 0086EA36
close PlayMe, xrefs: 0086EA6E, 0086EA9B
open , xrefs: 0086EA0C

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 1efced659e27eb22a0ed8fc3c145280a87b487fda84f8bc8a31ecce241ab66a0
Instruction ID: bc98eeebddf9f17df9ef17e4a38f9b36d8dfb0ab86da5cbf0f760f1347187295
Opcode Fuzzy Hash: 1efced659e27eb22a0ed8fc3c145280a87b487fda84f8bc8a31ecce241ab66a0
Instruction Fuzzy Hash: 55119135A9022979D720A7A9DD4AEFF6E7CFFD1B40F010439B411E21D1EE704918C6B1

Function 00869F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0086A012
SetKeyboardState.USER32(?), ref: 0086A07D
GetAsyncKeyState.USER32(000000A0), ref: 0086A09D
GetKeyState.USER32(000000A0), ref: 0086A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0086A0E3
GetKeyState.USER32(000000A1), ref: 0086A0F4
GetAsyncKeyState.USER32(00000011), ref: 0086A120
GetKeyState.USER32(00000011), ref: 0086A12E
GetAsyncKeyState.USER32(00000012), ref: 0086A157
GetKeyState.USER32(00000012), ref: 0086A165
GetAsyncKeyState.USER32(0000005B), ref: 0086A18E
GetKeyState.USER32(0000005B), ref: 0086A19C

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5405b47c2de83635591122fb18c7885483fcd457e40ad62a87c9c4fab1ed2d86
Instruction ID: a2c69d66cc8a35d67bfcae21a4e9fabd7116a3c2b752c5602a7586f1a93b258a
Opcode Fuzzy Hash: 5405b47c2de83635591122fb18c7885483fcd457e40ad62a87c9c4fab1ed2d86
Instruction Fuzzy Hash: E5519A2050478869FB39EB6484157EABFF5FF12340F0A4599D5C2E71C2DE64AA8CCB63

Function 00865CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00865CE2
GetWindowRect.USER32(00000000,?), ref: 00865CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00865D59
GetDlgItem.USER32(?,00000002), ref: 00865D69
GetWindowRect.USER32(00000000,?), ref: 00865D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00865DCF
GetDlgItem.USER32(?,000003E9), ref: 00865DDD
GetWindowRect.USER32(00000000,?), ref: 00865DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00865E31
GetDlgItem.USER32(?,000003EA), ref: 00865E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00865E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00865E67

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: aee5eb470addc3349e31cd167ddddf79025869cf2ad5f1dba05ac939d8ee9f2a
Instruction ID: fb4e82416321ef9660ee51c26e720ea376a1f7a8ef767cfb280978e9b11aa7cd
Opcode Fuzzy Hash: aee5eb470addc3349e31cd167ddddf79025869cf2ad5f1dba05ac939d8ee9f2a
Instruction Fuzzy Hash: DE511071B00609AFDF18DFA8DD89AAEBBB5FB48300F558129F516E7294D7719E00CB60

Function 00818BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00818F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00818BE8,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 00818FC5

DestroyWindow.USER32(?), ref: 00818C81
KillTimer.USER32(00000000,?,?,?,?,00818BBA,00000000,?), ref: 00818D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00856973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 008569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00818BBA,00000000,?), ref: 008569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00818BBA,00000000), ref: 008569D4
DeleteObject.GDI32(00000000), ref: 008569E6

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 31a4e3609490fc0c72d8f7704c2d1b79a4d76e20d63c465b09adc6893c5f12b5
Instruction ID: 61e40edb31d935693f9dee9d88d327327dcfeda23eea4e02002f6e9d18dac12b
Opcode Fuzzy Hash: 31a4e3609490fc0c72d8f7704c2d1b79a4d76e20d63c465b09adc6893c5f12b5
Instruction Fuzzy Hash: 2961BD30502710EFCB229F18D95ABA5BBF5FF50316F94461AE442D7A60CB32A8D4CF90

Function 00819838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00819944: GetWindowLongW.USER32(?,000000EB), ref: 00819952

GetSysColor.USER32(0000000F), ref: 00819862

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5f9f28e52310aff6cca298d8ffea0893d07b853599c1d446c5e2ddade3805be6
Instruction ID: 962ac01b70a5591d94b733506c064c4f0d3c79cf0b698f2c11a3d1cc4d1e1eaf
Opcode Fuzzy Hash: 5f9f28e52310aff6cca298d8ffea0893d07b853599c1d446c5e2ddade3805be6
Instruction Fuzzy Hash: 75417E31104644AFDB205F389C98BF93BA9FF06721F584666F9E2C71E1D7319881DB11

Function 008696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0084F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00869717
LoadStringW.USER32(00000000,?,0084F7F8,00000001), ref: 00869720

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0084F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00869742
LoadStringW.USER32(00000000,?,0084F7F8,00000001), ref: 00869745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00869866

Strings

^ ERROR, xrefs: 008697FB
%s (%d) : ==> %s: %s %s, xrefs: 0086984A
Line %d:, xrefs: 008697A0
Line %d (File "%s"):, xrefs: 0086978F
Error: , xrefs: 0086981D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 66719500067c2e923c3e5c93de7c86e9f618689edeeadfe5a2b3017a768ccb3b
Instruction ID: 3f84481b77032437d5b013b53dff020bef4d6ace1806b3a6183643ff9b59c859
Opcode Fuzzy Hash: 66719500067c2e923c3e5c93de7c86e9f618689edeeadfe5a2b3017a768ccb3b
Instruction Fuzzy Hash: F9410972900219AACB04EBE8DD86EEE777CFF54340F510165F605E21D2EA356F58CB62

Function 008606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00860804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0086082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00860837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0086083C

Strings

\CLSID, xrefs: 00860724
\IPC$, xrefs: 00860784
SOFTWARE\Classes\, xrefs: 0086070E

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f863daa5ab94d7123c0ba6b9722f909afd8931305a7ce07b0ad5b96c7c9991dd
Instruction ID: e766192cb50cfced823d018019a1e148552ac81756392e25f1c6c76cb78ce31f
Opcode Fuzzy Hash: f863daa5ab94d7123c0ba6b9722f909afd8931305a7ce07b0ad5b96c7c9991dd
Instruction Fuzzy Hash: FD410572D10229ABCF15EBA4DC95DEEB778FF04350F054169E911A32A1EB31AE44CFA1

Function 00893F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0089403B
CreateCompatibleDC.GDI32(00000000), ref: 00894042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00894055
SelectObject.GDI32(00000000,00000000), ref: 0089405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00894068
DeleteDC.GDI32(00000000), ref: 00894072
GetWindowLongW.USER32(?,000000EC), ref: 0089407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00894092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0089409E

Strings

static, xrefs: 00893FD3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 25939fe29cecb8ac9257447155dc6f24a634370a25df049c85de05c36671ff76
Instruction ID: 2c99bb34e04847f73256b691904e1c80eb54bc1458dbc432b3a0c1170d665c1d
Opcode Fuzzy Hash: 25939fe29cecb8ac9257447155dc6f24a634370a25df049c85de05c36671ff76
Instruction Fuzzy Hash: C9316E32501219BBDF22AFA8CC09FDA3B68FF0D324F190215FA55E61A0D776D821DB64

Function 00883C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00883C5C
CoInitialize.OLE32(00000000), ref: 00883C8A
CoUninitialize.OLE32 ref: 00883C94
_wcslen.LIBCMT ref: 00883D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00883DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00883ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00883F0E
CoGetObject.OLE32(?,00000000,0089FB98,?), ref: 00883F2D
SetErrorMode.KERNEL32(00000000), ref: 00883F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00883FC4
VariantClear.OLEAUT32(?), ref: 00883FD8

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 0582ef0520f5346e5f3b4b78c6a290e7073d9f87fc2db30175e554af05a91b3a
Instruction ID: e10bef801602453883773c1f85932649eb9f6f8adf4f5e5d13d8ab845641b510
Opcode Fuzzy Hash: 0582ef0520f5346e5f3b4b78c6a290e7073d9f87fc2db30175e554af05a91b3a
Instruction Fuzzy Hash: DFC125716082059FD700EF68C88492BB7E9FF89B48F14491DF98ADB251DB31EE45CB92

Function 00877A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00877AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00877B8F
SHGetDesktopFolder.SHELL32(?), ref: 00877BA3
CoCreateInstance.OLE32(0089FD08,00000000,00000001,008C6E6C,?), ref: 00877BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00877C74
CoTaskMemFree.OLE32(?,?), ref: 00877CCC
SHBrowseForFolderW.SHELL32(?), ref: 00877D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00877D7A
CoTaskMemFree.OLE32(00000000), ref: 00877D81
CoTaskMemFree.OLE32(00000000), ref: 00877DD6
CoUninitialize.OLE32 ref: 00877DDC

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: e2cdd4613750090f508e63cf72f62d7786e3253f8001ccd64554bb00f2305427
Instruction ID: cf237ddbd52234ae8de119e68763d0e7f5d89cb84c9a382f748d812a00e20339
Opcode Fuzzy Hash: e2cdd4613750090f508e63cf72f62d7786e3253f8001ccd64554bb00f2305427
Instruction Fuzzy Hash: 1AC12C75A04109AFCB14DFA8C884DAEBBF9FF48314B1484A9E81ADB361D731ED41CB90

Function 0089541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00895504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00895515
CharNextW.USER32(00000158), ref: 00895544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00895585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0089559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008955AC

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 7e93dd8822a6a2dc3aa3bbca6081a9b4ed2a89f7f8de3764e6fb10e2a2489f29
Instruction ID: f4f4992f5a705ce1d3a4f0d9f71c769f49899b8845a97a59ba78b5a5e6a39cb3
Opcode Fuzzy Hash: 7e93dd8822a6a2dc3aa3bbca6081a9b4ed2a89f7f8de3764e6fb10e2a2489f29
Instruction Fuzzy Hash: 9061AD71900608AFDF52AF94CC849FE7BB9FF09724F18414AF925EA291D7709A80DB61

Function 0085FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0085FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0085FB08
VariantInit.OLEAUT32(?), ref: 0085FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0085FB3A
VariantCopy.OLEAUT32(?,?), ref: 0085FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0085FBA1
VariantClear.OLEAUT32(?), ref: 0085FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0085FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0085FBCC
VariantClear.OLEAUT32(?), ref: 0085FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0085FBE9

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3673c050aad7ea5ca9ad6d5be51c40df057e91fb89c4be8acb01c9c8d4bcb073
Instruction ID: d55dce378e0ac85aee8dcb28049858848f01711384b6726c04303a3a872745f2
Opcode Fuzzy Hash: 3673c050aad7ea5ca9ad6d5be51c40df057e91fb89c4be8acb01c9c8d4bcb073
Instruction Fuzzy Hash: EA415135A00219DFCF00EF68C8549ADBBB9FF08355F048065E945E7261CB31A945CFA2

Function 00869C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00869CA1
GetAsyncKeyState.USER32(000000A0), ref: 00869D22
GetKeyState.USER32(000000A0), ref: 00869D3D
GetAsyncKeyState.USER32(000000A1), ref: 00869D57
GetKeyState.USER32(000000A1), ref: 00869D6C
GetAsyncKeyState.USER32(00000011), ref: 00869D84
GetKeyState.USER32(00000011), ref: 00869D96
GetAsyncKeyState.USER32(00000012), ref: 00869DAE
GetKeyState.USER32(00000012), ref: 00869DC0
GetAsyncKeyState.USER32(0000005B), ref: 00869DD8
GetKeyState.USER32(0000005B), ref: 00869DEA

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3e67a72017c15e12cad0fbbb6a618c39a5988eba3bf1962125fcec0523312be3
Instruction ID: 02ed41e6a983e8e43a2c0357c6023496fd6a629351c6989c65ff8f4101027038
Opcode Fuzzy Hash: 3e67a72017c15e12cad0fbbb6a618c39a5988eba3bf1962125fcec0523312be3
Instruction Fuzzy Hash: AF41B7345047C96DFF319764C8043B5BEA8FF11344F09806ADAC69A5C2EBF599D8C7A2

Function 0088055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008805BC
inet_addr.WSOCK32(?), ref: 0088061C
gethostbyname.WSOCK32(?), ref: 00880628
IcmpCreateFile.IPHLPAPI ref: 00880636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008807B9
WSACleanup.WSOCK32 ref: 008807BF

Strings

Ping, xrefs: 00880676

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a9b22674fc4cc24d639adb035864a090b1f2bc2dd6ba13a01bc9124b38d0f3ad
Instruction ID: 145df43871166680f0289ca09d82e458d3068df03a4151b0d0958419a70d9ecf
Opcode Fuzzy Hash: a9b22674fc4cc24d639adb035864a090b1f2bc2dd6ba13a01bc9124b38d0f3ad
Instruction Fuzzy Hash: 66918E356082419FD760EF19C889F1ABBE0FF44318F1485A9E469DB6A2C731ED49CF92

Function 00888CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00888CF3

Part of subcall function 00868E54: _wcslen.LIBCMT ref: 00868E77

_wcslen.LIBCMT ref: 00888D4E
_wcslen.LIBCMT ref: 00888D9C
_wcslen.LIBCMT ref: 00888DDC
_wcslen.LIBCMT ref: 00888E6E

Strings

stdcall, xrefs: 00888DD6, 00888DDB
cdecl, xrefs: 00888D48, 00888D4D
none, xrefs: 00888E65, 00888E6A
winapi, xrefs: 00888D96, 00888D9B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: eb9965c6040dbc43f0dcd909aab79eeb3544a19e9b9198b9f975739004ab02e6
Instruction ID: 6f8483cc69a837b607caf3ee14e41bd4ca6676169c253d2f49be98d7a1235177
Opcode Fuzzy Hash: eb9965c6040dbc43f0dcd909aab79eeb3544a19e9b9198b9f975739004ab02e6
Instruction Fuzzy Hash: 31518131A00116DBCB24EF6CC9409BEB7A5FF64724BA14229E966E72C5DB31DD40CB91

Function 0088372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00883774
CoUninitialize.OLE32 ref: 0088377F
CoCreateInstance.OLE32(?,00000000,00000017,0089FB78,?), ref: 008837D9
IIDFromString.OLE32(?,?), ref: 0088384C
VariantInit.OLEAUT32(?), ref: 008838E4
VariantClear.OLEAUT32(?), ref: 00883936

Strings

NULL Pointer assignment, xrefs: 0088381E
Invalid parameter, xrefs: 00883865
Failed to create object, xrefs: 008837E4, 0088389A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f418b14c7791e36037675f468bae72a057535dda43c3a3f1eaf79383548049ab
Instruction ID: bf46520f5b95032321bb65ff2601aed9a45354c0b44d775f2bf7ec833df7f2d3
Opcode Fuzzy Hash: f418b14c7791e36037675f468bae72a057535dda43c3a3f1eaf79383548049ab
Instruction Fuzzy Hash: 99617C71608301AFD710EF58C849B6ABBE8FF49B14F144829F995DB291D770EE48CB92

Function 00873388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008733CF

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008733F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00873522
"%s" (%d) : ==> %s:%s%s, xrefs: 00873504
Incorrect parameters to object property !, xrefs: 008734AB
^ ERROR , xrefs: 0087349E
Line %d (File "%s"):, xrefs: 00873443, 0087345C
Error: , xrefs: 008734D1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: bb835a74aa2adf825ed4439ca6ecca14a89b5048fa161380b641138b9eb1d835
Instruction ID: 09ba2dc2a4639e669dc9b494c345ca8c6c947a539948340fa8e199e75716cd35
Opcode Fuzzy Hash: bb835a74aa2adf825ed4439ca6ecca14a89b5048fa161380b641138b9eb1d835
Instruction Fuzzy Hash: A351AF71900209AADF18EBA4DD46EEEB778FF14300F108165F109F2292EB356F58DB62

Function 0086B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0086B5FC
_wcslen.LIBCMT ref: 0086B608
_wcslen.LIBCMT ref: 0086B64D
_wcslen.LIBCMT ref: 0086B68C
_wcslen.LIBCMT ref: 0086B6C7

Strings

KEYS, xrefs: 0086B647, 0086B64C
EXISTS, xrefs: 0086B686, 0086B68B
APPEND, xrefs: 0086B6C1, 0086B6C6
REMOVE, xrefs: 0086B602, 0086B607

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d73f30ce564a981fa2439c62de2e519b83354092686177a9064b332fd5400a0c
Instruction ID: 08cddf615982cb60e999a5bac452331b241ad6ea205d6df057182affb6666267
Opcode Fuzzy Hash: d73f30ce564a981fa2439c62de2e519b83354092686177a9064b332fd5400a0c
Instruction Fuzzy Hash: 6B41A332A011269BCB206F7DC9905BE77A5FBB076CB264629E561DB284F731CDC1C7A0

Function 00875393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00875416
GetLastError.KERNEL32 ref: 00875420
SetErrorMode.KERNEL32(00000000,READY), ref: 008754A7

Strings

READY, xrefs: 00875460, 00875468
NOTREADY, xrefs: 0087544B
INVALID, xrefs: 00875459
READONLY, xrefs: 00875452
UNKNOWN, xrefs: 00875444

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2cc5e6f8e4949ad89858f40613a12bc6bdfa1d81128f7f7ecb81b187b8d0ea05
Instruction ID: 3be4ff5804ebed2b6df35b22aed711dbc78b8e7ddb8c368f8eec8ccba7629c3f
Opcode Fuzzy Hash: 2cc5e6f8e4949ad89858f40613a12bc6bdfa1d81128f7f7ecb81b187b8d0ea05
Instruction Fuzzy Hash: 8231D6B5A005049FD710DF68C884FAA7BB4FF45305F14C069E50ADB296DBB1DD86CB91

Function 00893C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00893C79
SetMenu.USER32(?,00000000), ref: 00893C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00893D10
IsMenu.USER32(?), ref: 00893D24
CreatePopupMenu.USER32 ref: 00893D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00893D5B
DrawMenuBar.USER32 ref: 00893D63

Strings

F, xrefs: 00893D4E
0, xrefs: 00893C54

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 31e7e8ff9b28b249ccf9e0c3dd58e680572c2149bbadc6446071179f713a0cb4
Instruction ID: d82987c6912c6eae33361f07a9f7fd3323c33fabe59565114832bdad169d94df
Opcode Fuzzy Hash: 31e7e8ff9b28b249ccf9e0c3dd58e680572c2149bbadc6446071179f713a0cb4
Instruction Fuzzy Hash: 30415CB5A01209EFDF14EFA4D854AAA7BB5FF49354F180029F946E7360D731AA10CF94

Function 00861EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00861F64
GetDlgCtrlID.USER32 ref: 00861F6F
GetParent.USER32 ref: 00861F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00861F8E
GetDlgCtrlID.USER32(?), ref: 00861F97
GetParent.USER32(?), ref: 00861FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00861FAE

Strings

ComboBox, xrefs: 00861EEC
ListBox, xrefs: 00861F21

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c849ae0f9cbf9a83cfe44c1880b6156930e6e83f2e1ab4335d4a8ac86dea04b3
Instruction ID: b108d3d49b294910b4145ccc95e5e40c1c0d71ef52483c254fceb8b89a961147
Opcode Fuzzy Hash: c849ae0f9cbf9a83cfe44c1880b6156930e6e83f2e1ab4335d4a8ac86dea04b3
Instruction Fuzzy Hash: 3621B071A00214BBCF05AFA4DC85EEEBBB9FF15310F04411AF961A72E2DB3559149B60

Function 00861FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00862043
GetDlgCtrlID.USER32 ref: 0086204E
GetParent.USER32 ref: 0086206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0086206D
GetDlgCtrlID.USER32(?), ref: 00862076
GetParent.USER32(?), ref: 0086208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0086208D

Strings

ComboBox, xrefs: 00861FCD
ListBox, xrefs: 00862002

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c07cf94ac5ce742bc194ff408f09d1e5b65c4f560a963a0d78fa68240ec8073b
Instruction ID: 283e2ada69a3a912e87a56dc40c49ed402c8f39f9f4b6314836dfede11f55153
Opcode Fuzzy Hash: c07cf94ac5ce742bc194ff408f09d1e5b65c4f560a963a0d78fa68240ec8073b
Instruction Fuzzy Hash: 4521CFB5D00618BBDF11AFA4CC85EEEBBB8FF15300F00405AF991E72A1DA799914DB61

Function 00893A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00893A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00893AA0
GetWindowLongW.USER32(?,000000F0), ref: 00893AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00893AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00893B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00893BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00893BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00893BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00893BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00893C13

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: db56c8c6e6f5640030b829e5b493836f55f3b27a34015731b8279e7d8109bd3f
Instruction ID: 66cff08b8da7b130112039fc51226da382761306c221dd161537cd14b9e6d36d
Opcode Fuzzy Hash: db56c8c6e6f5640030b829e5b493836f55f3b27a34015731b8279e7d8109bd3f
Instruction Fuzzy Hash: AE615975A00208AFDF11EFA8CC85EEE77B8FB09714F14015AFA15E7291C770AA41DB50

Function 0086B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0086B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B165
GetWindowThreadProcessId.USER32(00000000), ref: 0086B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0086B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0086A1E1,?,00000001), ref: 0086B21D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 684e269402f564a93d13b23548d149f49f191a815bd3dcda8fff00ad4e1aa6cc
Instruction ID: f4123b4a938ef94cca7ba4a1bb5d05d415ae3b65078a51f874266553f2bae5f8
Opcode Fuzzy Hash: 684e269402f564a93d13b23548d149f49f191a815bd3dcda8fff00ad4e1aa6cc
Instruction Fuzzy Hash: CE310CB1100604BFDB21AF64DC58FAE7BA9FB21319F16811AFA01C7290C7B49E808F61

Function 00832C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00832C94

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 00832CA0
_free.LIBCMT ref: 00832CAB
_free.LIBCMT ref: 00832CB6
_free.LIBCMT ref: 00832CC1
_free.LIBCMT ref: 00832CCC
_free.LIBCMT ref: 00832CD7
_free.LIBCMT ref: 00832CE2
_free.LIBCMT ref: 00832CED
_free.LIBCMT ref: 00832CFB

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2ddcdacff297c21c0991bf2df1bc4abde4b7ce9a973aa6ddd4197811a19849b8
Instruction ID: 578eec8e57db728801001a0ce3238b61a8020137d868235cb6a4087347bd14ea
Opcode Fuzzy Hash: 2ddcdacff297c21c0991bf2df1bc4abde4b7ce9a973aa6ddd4197811a19849b8
Instruction Fuzzy Hash: E911A476100118AFCB02EF98E882EDD7FA5FF45350F4144A5FA489F222DA31EE509B91

Function 00877DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00877FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00877FC1
GetFileAttributesW.KERNEL32(?), ref: 00877FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00878005
SetCurrentDirectoryW.KERNEL32(?), ref: 00878017
SetCurrentDirectoryW.KERNEL32(?), ref: 00878060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008780B0

Strings

*.*, xrefs: 00878066

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 8195c6c8cbac6e145dc9c63e4acd26db881d3e51a57dacc5732bb67af2cbbe4e
Instruction ID: c4cb97151753ed971ee2c73eb3a6c0323cb5691073b1d86027e4caaead17ba6e
Opcode Fuzzy Hash: 8195c6c8cbac6e145dc9c63e4acd26db881d3e51a57dacc5732bb67af2cbbe4e
Instruction Fuzzy Hash: E481A0725082459BDB20EF18C8449AEB3E8FF88714F148C6EF889C7264EB75DD45CB92

Function 00805BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00805C7A

Part of subcall function 00805D0A: GetClientRect.USER32(?,?), ref: 00805D30
Part of subcall function 00805D0A: GetWindowRect.USER32(?,?), ref: 00805D71
Part of subcall function 00805D0A: ScreenToClient.USER32(?,?), ref: 00805D99

GetDC.USER32 ref: 008446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00844708
SelectObject.GDI32(00000000,00000000), ref: 00844716
SelectObject.GDI32(00000000,00000000), ref: 0084472B
ReleaseDC.USER32(?,00000000), ref: 00844733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008447C4

Strings

U, xrefs: 00844693

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2f46444dfa9aea2ca13ed0b71cf584eac0cfb8b43b66589dd084fcd0ab844d4f
Instruction ID: 65826155bfccca95a80c055a7bf3da74fc05ced8edd7585dd5a3f9f419381ac6
Opcode Fuzzy Hash: 2f46444dfa9aea2ca13ed0b71cf584eac0cfb8b43b66589dd084fcd0ab844d4f
Instruction Fuzzy Hash: AB71013140020DEFDF218F64CD84BBA7BB1FF5A324F28122AE955DA1A6C7319842DF60

Function 0087359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008735E4

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

LoadStringW.USER32(008D2390,?,00000FFF,?), ref: 0087360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00873742
"%s" (%d) : ==> %s:%s%s, xrefs: 00873724
^ ERROR, xrefs: 008736C9
Line %d (File "%s"):, xrefs: 0087366B
Error: , xrefs: 008736EF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1764b57ccce669c5034efd9d00fa618c463d6e93c2ae1a891cc0c32b8c5dc576
Instruction ID: abf7c67af052f36bbff58c618b3a0d473cd4a7dca7d1087bd11b1413a25efa1c
Opcode Fuzzy Hash: 1764b57ccce669c5034efd9d00fa618c463d6e93c2ae1a891cc0c32b8c5dc576
Instruction Fuzzy Hash: 5B516E71900209BADF18EBA4DC42EEEBB78FF14350F044125F115B22A2EB355B99DF62

Function 00898B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

Part of subcall function 0081912D: GetCursorPos.USER32(?), ref: 00819141
Part of subcall function 0081912D: ScreenToClient.USER32(00000000,?), ref: 0081915E
Part of subcall function 0081912D: GetAsyncKeyState.USER32(00000001), ref: 00819183
Part of subcall function 0081912D: GetAsyncKeyState.USER32(00000002), ref: 0081919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00898B6B
ImageList_EndDrag.COMCTL32 ref: 00898B71
ReleaseCapture.USER32 ref: 00898B77
SetWindowTextW.USER32(?,00000000), ref: 00898C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00898C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00898CFF

Strings

@GUI_DROPID, xrefs: 00898C51
@GUI_DRAGFILE, xrefs: 00898C9A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: dae9784ce356a89720f9299ae916d1b871614a0ad6ea2c703294bda5166964a4
Instruction ID: f1d81ef48720c358628a2f3dd4559ddc77a0be5cfb93734b65eabe2ace486abf
Opcode Fuzzy Hash: dae9784ce356a89720f9299ae916d1b871614a0ad6ea2c703294bda5166964a4
Instruction Fuzzy Hash: BF519A70105200AFDB00EF18DC59BAA77E4FF88714F44062EF992A72E2CB719944CB62

Function 0087C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0087C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0087C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0087C2CA
GetLastError.KERNEL32 ref: 0087C322
SetEvent.KERNEL32(?), ref: 0087C336
InternetCloseHandle.WININET(00000000), ref: 0087C341

Strings

, xrefs: 0087C2BB

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8647243a095e568d73eaf8738ddea1a5c3bd821856aba4f90f9180b77c975bbd
Instruction ID: 9def2bcb9e9dcd44b7cf5a439fc0fbcdd8e56621eb761a03e2126e16e3350879
Opcode Fuzzy Hash: 8647243a095e568d73eaf8738ddea1a5c3bd821856aba4f90f9180b77c975bbd
Instruction Fuzzy Hash: DC3169B1600608AFD721AFA88888AAB7AFCFB49744B14851EF44AD3205DB35DD449B61

Function 0086989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00843AAF,?,?,Bad directive syntax error,0089CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008698BC
LoadStringW.USER32(00000000,?,00843AAF,?), ref: 008698C3

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00869987

Strings

Line %d:, xrefs: 00869912
Error: , xrefs: 00869955
Line %d (File "%s"):, xrefs: 0086992D
., xrefs: 0086996D
%s (%d) : ==> %s.: %s %s, xrefs: 008698F1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 3f00e634b350ae87f48d0e3c9bdf44d3e455ec3f1999ccbe284c21515f6d06c2
Instruction ID: f7703db06ddc2df83f0166c6c8854584fa06eb87e8f12038efd398a1b77b8bbb
Opcode Fuzzy Hash: 3f00e634b350ae87f48d0e3c9bdf44d3e455ec3f1999ccbe284c21515f6d06c2
Instruction Fuzzy Hash: C3218D31C0021EABCF15AF94CC46EEE7B39FF18304F04446AF515A21E2EB35A668DB12

Function 0086209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0086214D

Strings

smallicons, xrefs: 00862115
list, xrefs: 0086212F
SHELLDLL_DefView, xrefs: 008620CC
largeicons, xrefs: 008620E1
details, xrefs: 008620FB

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: df2e56132a7151b50586f0938fd6b27a36c782cf53fd9cb4e577adc0beab3445
Instruction ID: 35d18d31b9d5175eff182cf2a4f75fb38ce1805d8bdb342f1d5614a298570077
Opcode Fuzzy Hash: df2e56132a7151b50586f0938fd6b27a36c782cf53fd9cb4e577adc0beab3445
Instruction Fuzzy Hash: 8E11367628CB16BAFA026224EC07DA637ACFB16324B21005BFB05E40D1FF75BC825625

Function 00838D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095612cce7fd5acbfc83ee4f442d20e7850ef545e719e9c0fa05b774d7fa6c0d
Instruction ID: 089ec403e10b939a8d811530cdfda49905779930292bd9b5fe5861e884360306
Opcode Fuzzy Hash: 095612cce7fd5acbfc83ee4f442d20e7850ef545e719e9c0fa05b774d7fa6c0d
Instruction Fuzzy Hash: D7C1CE74904249EFCB159FA8D851BADBBB0FF89310F144199F954E7392CBB48941CFA1

Function 0083CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0083CEB7
_free.LIBCMT ref: 0083CF22
_free.LIBCMT ref: 0083CF48
_free.LIBCMT ref: 0083CF71
_free.LIBCMT ref: 0083CFA9
_free.LIBCMT ref: 0083CFDA
_free.LIBCMT ref: 0083D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0083D09C
_free.LIBCMT ref: 0083D0B5

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 859de36988c813d8e2150b22bbbcca5990a2cd2ce76e76ffe337987ca05925c4
Instruction ID: 7945275539c7a7f9525b61efe6a44fa1da27ad5009ca12e7aebd403be5002791
Opcode Fuzzy Hash: 859de36988c813d8e2150b22bbbcca5990a2cd2ce76e76ffe337987ca05925c4
Instruction Fuzzy Hash: B5614771905314AFDF25AFB8A891B697BA5FF85320F14426EF900E7242DB729D01CBD1

Function 00818B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00856890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00818874,00000000,00000000,00000000,000000FF,00000000), ref: 00856901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0085691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00818874,00000000,00000000,00000000,000000FF,00000000), ref: 0085692D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7eaad53494bfa713475de0a298eedd6d6cbaff7d1baa4cab83f4f04afdf4024b
Instruction ID: 4b4b77dfe9353d0fdc19182cc092bb40521c4ca7784abb7b815763ddedea1aa2
Opcode Fuzzy Hash: 7eaad53494bfa713475de0a298eedd6d6cbaff7d1baa4cab83f4f04afdf4024b
Instruction Fuzzy Hash: 1B519AB0600209EFDB20DF24CC56BAA7BB9FF58361F144529F946D72A0EB71E990DB50

Function 0087C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0087C182
GetLastError.KERNEL32 ref: 0087C195
SetEvent.KERNEL32(?), ref: 0087C1A9

Part of subcall function 0087C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0087C272
Part of subcall function 0087C253: GetLastError.KERNEL32 ref: 0087C322
Part of subcall function 0087C253: SetEvent.KERNEL32(?), ref: 0087C336
Part of subcall function 0087C253: InternetCloseHandle.WININET(00000000), ref: 0087C341

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 1638f16c5e8f0c0bb544cca7d3e72b79aadde25772a61ea083875b0af1ee0413
Instruction ID: f9b62e26ab18d24a07ee02da8f27571a3abac4f392cd4194c2801add0de91d06
Opcode Fuzzy Hash: 1638f16c5e8f0c0bb544cca7d3e72b79aadde25772a61ea083875b0af1ee0413
Instruction Fuzzy Hash: 55318A71200605BFDB21AFE9DC44A66BBF8FF58300B54842EF95AC3615DB31E914ABA0

Function 008625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00863A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00863A57
Part of subcall function 00863A3D: GetCurrentThreadId.KERNEL32 ref: 00863A5E
Part of subcall function 00863A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008625B3), ref: 00863A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00862601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00862605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0086260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00862623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00862627

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3cced76816cb34a6685691d6b276b51bdccd601585d9d8e793963c6f3cd3d4b7
Instruction ID: 6db04ae1d115cdcc7e2eaaae560367e4cfed5e2387763b46e86568c915200b29
Opcode Fuzzy Hash: 3cced76816cb34a6685691d6b276b51bdccd601585d9d8e793963c6f3cd3d4b7
Instruction Fuzzy Hash: B101B130290624BBFB2077699C8AF593E59EF5AB52F110016F318EE0D1C9E22444DA6A

Function 00861803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00861449,?,?,00000000), ref: 0086180C
HeapAlloc.KERNEL32(00000000,?,00861449,?,?,00000000), ref: 00861813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00861449,?,?,00000000), ref: 00861828
GetCurrentProcess.KERNEL32(?,00000000,?,00861449,?,?,00000000), ref: 00861830
DuplicateHandle.KERNEL32(00000000,?,00861449,?,?,00000000), ref: 00861833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00861449,?,?,00000000), ref: 00861843
GetCurrentProcess.KERNEL32(00861449,00000000,?,00861449,?,?,00000000), ref: 0086184B
DuplicateHandle.KERNEL32(00000000,?,00861449,?,?,00000000), ref: 0086184E
CreateThread.KERNEL32(00000000,00000000,00861874,00000000,00000000,00000000), ref: 00861868

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 700a694ae6bcc04c229f7d1e48694a5d73425e120a3029017a3c8afe9d02da43
Instruction ID: 817635f20a3ae0e27f905fe9da83cf7abb913ff5778ccc887d31fece8066bf08
Opcode Fuzzy Hash: 700a694ae6bcc04c229f7d1e48694a5d73425e120a3029017a3c8afe9d02da43
Instruction Fuzzy Hash: 0501BF75240304BFE710AB65DD4DF5B7B6CFB89B11F454411FA05DB2A1C6759800CB34

Function 0088A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0086D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0086D501
Part of subcall function 0086D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0086D50F
Part of subcall function 0086D4DC: CloseHandle.KERNELBASE(00000000), ref: 0086D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0088A16D
GetLastError.KERNEL32 ref: 0088A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0088A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0088A268
GetLastError.KERNEL32(00000000), ref: 0088A273
CloseHandle.KERNEL32(00000000), ref: 0088A2C4

Strings

SeDebugPrivilege, xrefs: 0088A18F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7f73fcb437763006ab2526bbd0b2c03af47e20419e3a0372fce9ddd0b7a5ca6f
Instruction ID: 5c0a1456a306d8d6ed66a229aade52e8166c78c9765d9ffd4788a5406e6a2a39
Opcode Fuzzy Hash: 7f73fcb437763006ab2526bbd0b2c03af47e20419e3a0372fce9ddd0b7a5ca6f
Instruction Fuzzy Hash: 276159742042429FE724EF18C894F15BBA5FF44318F19849DE4668B7E2CBB6EC45CB92

Function 00893886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00893925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0089393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00893954
_wcslen.LIBCMT ref: 00893999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008939F4

Strings

SysListView32, xrefs: 008938F7

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 47f7a02c9ce652240467d7f6b7ec6410cfd3c4e8afba7f2415bafd9a921dfc52
Instruction ID: 112369888489635cf60522c3719b85e826b30b01f70603173ac0eb3a60955e46
Opcode Fuzzy Hash: 47f7a02c9ce652240467d7f6b7ec6410cfd3c4e8afba7f2415bafd9a921dfc52
Instruction Fuzzy Hash: 8841B471A00219ABEF21AF64CC49FEA7BA9FF08354F14052AF958E7281D775DD80CB90

Function 0086BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0086BCFD
IsMenu.USER32(00000000), ref: 0086BD1D
CreatePopupMenu.USER32 ref: 0086BD53
GetMenuItemCount.USER32(00D86638), ref: 0086BDA4
InsertMenuItemW.USER32(00D86638,?,00000001,00000030), ref: 0086BDCC

Strings

0, xrefs: 0086BCA8
2, xrefs: 0086BD37

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: e103ea81140151d430cc14097fa135d333f865343dc78d3181739f1c9c0878e5
Instruction ID: 2a8f30341b2a4910e02db2a548b9e37fc9d869b953e132bcaa51e4956cc5d060
Opcode Fuzzy Hash: e103ea81140151d430cc14097fa135d333f865343dc78d3181739f1c9c0878e5
Instruction Fuzzy Hash: F351BF70A00209ABDF20DFA8D884BAEBBF8FF4535CF15421AE441DF291D7719981CB62

Function 0086C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0086C913

Strings

info, xrefs: 0086C8B4
blank, xrefs: 0086C895
question, xrefs: 0086C8CC
stop, xrefs: 0086C8E4
warning, xrefs: 0086C8FC

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 63e1d1580cdadc6abeea362ceff8570889fd9e8527310bd01c8d1f7984072774
Instruction ID: c31e9bd273178ddfa769d66af7d2f0feefae2eac77b5bc15c55d2fd2e0ec18a8
Opcode Fuzzy Hash: 63e1d1580cdadc6abeea362ceff8570889fd9e8527310bd01c8d1f7984072774
Instruction Fuzzy Hash: 38113D3168931ABAE704AB54AC83DBA2BACFF15358B11003FF544E6382E7749D405275

Function 0086DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0086DE42
gethostname.WSOCK32(?,00000100), ref: 0086DE5C
gethostbyname.WSOCK32(?), ref: 0086DE69
inet_ntoa.WSOCK32(?), ref: 0086DEAB
_strcat.LIBCMT ref: 0086DEB9
WSACleanup.WSOCK32 ref: 0086DEDE

Strings

0.0.0.0, xrefs: 0086DE87

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: f03d5c905b2f288a766af9e63c7b7c0af10a415da21c72e6a19920ad77da9bfa
Instruction ID: c031fd0ad0730fd2a66e9a8f25caedb7c67e56582058cc8e11ec0eacd5784bc8
Opcode Fuzzy Hash: f03d5c905b2f288a766af9e63c7b7c0af10a415da21c72e6a19920ad77da9bfa
Instruction Fuzzy Hash: E411DD71A04218AFCB207B64AC4ADDE776CFF11715F05017AF545EA091EF768AC18A61

Function 00899F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

GetSystemMetrics.USER32(0000000F), ref: 00899FC7
GetSystemMetrics.USER32(0000000F), ref: 00899FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0089A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0089A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0089A263
ShowWindow.USER32(00000003,00000000), ref: 0089A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0089A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0089A2CA

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 3abe82017bfacb2af412bbddeae22465a918e6ed91d5b3b46ad303ac581b057b
Instruction ID: fb257e68ee98c8598ac4023819624dd3e7bf4a325d8dfae2adc620862413c9c5
Opcode Fuzzy Hash: 3abe82017bfacb2af412bbddeae22465a918e6ed91d5b3b46ad303ac581b057b
Instruction Fuzzy Hash: 44B16B31600219EFDF18DFA8C9857AE7BB2FF44711F198069EC85DB295D731A940CB91

Function 0086ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0086ED2A
_wcslen.LIBCMT ref: 0086ED3B
_wcslen.LIBCMT ref: 0086ED79
_wcslen.LIBCMT ref: 0086EDAF
_wcslen.LIBCMT ref: 0086EDDF
_wcslen.LIBCMT ref: 0086EDEF
_wcslen.LIBCMT ref: 0086EE2B
_wcslen.LIBCMT ref: 0086EE5A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8c026e059709ee20ac8578d7aef2296a90aee1785184dec2c4477e3050b266c2
Instruction ID: 54dd2d2a6e23afbe6df2c52551b6c9fb8f4544db1441cba58cda15fafb79a680
Opcode Fuzzy Hash: 8c026e059709ee20ac8578d7aef2296a90aee1785184dec2c4477e3050b266c2
Instruction Fuzzy Hash: C8418365C10228B6CB11EBF8DC8A9CFB7A8FF45710F518562E518E3121FB74E295C3A6

Function 0081F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0081F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0085F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0085F454

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 283e381758c8c332a512bb0c502ec863bed347963c7a01a49e744455bd45d9a3
Instruction ID: 1a69b14d911935cb0bc696e7b9e49511a78f840a55f3974e4c67318c633dc07a
Opcode Fuzzy Hash: 283e381758c8c332a512bb0c502ec863bed347963c7a01a49e744455bd45d9a3
Instruction Fuzzy Hash: 43416C30208244BAC734BB2C98887EA7F99FF46324F58413DE747D2663C63298C5CB11

Function 00892D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00892D1B
GetDC.USER32(00000000), ref: 00892D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00892D2E
ReleaseDC.USER32(00000000,00000000), ref: 00892D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00892D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00892D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00895A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00892DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00892DE1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 003810129dfe60ea383d1c26b52db7d0a7c783d0057ef65fa8fb3d7381b991c0
Instruction ID: 7d9dfc4aa611e95b99c0f2d675a5049682ef23fccef1736ba0a6945a4346ba5c
Opcode Fuzzy Hash: 003810129dfe60ea383d1c26b52db7d0a7c783d0057ef65fa8fb3d7381b991c0
Instruction Fuzzy Hash: F3316972201614BBEF219F548C8AFEB3BA9FB19755F084056FE08DA291C6769C50CBA4

Function 00865622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00865637
_memcmp.LIBVCRUNTIME ref: 00865659
_memcmp.LIBVCRUNTIME ref: 00865671
_memcmp.LIBVCRUNTIME ref: 00865684
_memcmp.LIBVCRUNTIME ref: 0086569E
_memcmp.LIBVCRUNTIME ref: 008656B1
_memcmp.LIBVCRUNTIME ref: 008656C9
_memcmp.LIBVCRUNTIME ref: 008656E4

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a13bb90f66eec9fcce9bccd91999b94cd093b4bf73954d12e0bce5b389338c99
Instruction ID: f27ac3313d45467e3c69597f4f4f3164245102ad03bd28854c4ce351b6569a5d
Opcode Fuzzy Hash: a13bb90f66eec9fcce9bccd91999b94cd093b4bf73954d12e0bce5b389338c99
Instruction Fuzzy Hash: AA21C961640A297BDA18A524DD86FFA335DFF30398F594020FE05DA782F728ED60C5A6

Function 00884FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00885007
NULL Pointer assignment, xrefs: 0088502E, 00885383

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 420c39c6e5416c1fb8390eb9b445e251f6043cc29a9beee41efb0a69495df0f5
Instruction ID: 18736f8b04d0049b5ed10a73665d6249598047154eaca2960aba1f0b10b41031
Opcode Fuzzy Hash: 420c39c6e5416c1fb8390eb9b445e251f6043cc29a9beee41efb0a69495df0f5
Instruction Fuzzy Hash: 6ED1B075A0060AAFDF10EFA8C885BAEB7B5FF48344F148069E915EB281E771DD45CB90

Function 00841522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00841651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008417FB,?,008417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008416FB

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00841777
__freea.LIBCMT ref: 008417A2
__freea.LIBCMT ref: 008417AE

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: aadd91692584c8a73bbd55f9bf0a9259a1e4859f45aaed2bf90132d39f5cbd22
Instruction ID: 11bcec3680ca54b8c8b248df8dd9bb78a7727494a0a63b2665a0c41c32b8885c
Opcode Fuzzy Hash: aadd91692584c8a73bbd55f9bf0a9259a1e4859f45aaed2bf90132d39f5cbd22
Instruction Fuzzy Hash: E691C271F0021E9ADF208E64C889AEEBBB5FF59754F194659E805E7141EB35CC80CBA0

Function 00884523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00884648
VariantInit.OLEAUT32(?), ref: 00884749
VariantClear.OLEAUT32(?), ref: 00884753
VariantClear.OLEAUT32(?), ref: 008847B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008845D8, 00884706, 008847BE
Incorrect Object type in FOR..IN loop, xrefs: 0088472C

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 2de93189aa12ebb3ddbb3980664259daf9b5da9b346f184d03f777d3fb27529f
Instruction ID: c2da330c5bdd0835c05017d3f7bb2abbbc39b9c19aa6fbd97d2b08500f2a1dd8
Opcode Fuzzy Hash: 2de93189aa12ebb3ddbb3980664259daf9b5da9b346f184d03f777d3fb27529f
Instruction Fuzzy Hash: 8B917E72A0021AABDF20EFA4C844FAEBBB8FF46714F108559F515EB281D7709945CFA0

Function 00871187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0087125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00871284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0087135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00871430

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 29ecba558c39f65b56dd99abaa49a5c26291665dc2503d53869bcf96de5ad8a1
Instruction ID: 06ccb901f9d0c3aed5d5e3fed4c611ac29b2b09dcf1e08d35655b287abd639cc
Opcode Fuzzy Hash: 29ecba558c39f65b56dd99abaa49a5c26291665dc2503d53869bcf96de5ad8a1
Instruction Fuzzy Hash: 1991D171A00219AFDB00DF9CC888BBEB7B9FF45315F148029E904EB696D774E941CB95

Function 0081948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 76ee0df940e228ee256ff74c943289296a5f79be255f2fafe2d93874940ba7be
Instruction ID: d013e0c2b65f3eb738cbe5b04ad3fcb93c111a42f13ee693f48213564a6cb00d
Opcode Fuzzy Hash: 76ee0df940e228ee256ff74c943289296a5f79be255f2fafe2d93874940ba7be
Instruction Fuzzy Hash: BD911471D00219EFCB10CFA9C884AEEBBB9FF49320F148559E955F7251D375AA82CB60

Function 00883947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0088396B
CharUpperBuffW.USER32(?,?), ref: 00883A7A
_wcslen.LIBCMT ref: 00883A8A
VariantClear.OLEAUT32(?), ref: 00883C1F

Part of subcall function 00870CDF: VariantInit.OLEAUT32(00000000), ref: 00870D1F
Part of subcall function 00870CDF: VariantCopy.OLEAUT32(?,?), ref: 00870D28
Part of subcall function 00870CDF: VariantClear.OLEAUT32(?), ref: 00870D34

Strings

AUTOIT.ERROR, xrefs: 00883A80, 00883A85
Incorrect Parameter format, xrefs: 008839A6, 00883BA1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 7fd7bfbed15d86730a563abb6f5117a3ab954ae9977bc646c559d11ec1640eff
Instruction ID: 2a1f97cdd4efeaa8e45038d60690934d5e8b2467c386d6fea00f555ac5b1c278
Opcode Fuzzy Hash: 7fd7bfbed15d86730a563abb6f5117a3ab954ae9977bc646c559d11ec1640eff
Instruction Fuzzy Hash: EF9113756083059FC704EF68C88096AB7E5FF89714F14882DF88ADB351DB31EA45CB92

Function 00884BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0086000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?,?,0086035E), ref: 0086002B
Part of subcall function 0086000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860046
Part of subcall function 0086000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860054
Part of subcall function 0086000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?), ref: 00860064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00884C51
_wcslen.LIBCMT ref: 00884D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00884DCF
CoTaskMemFree.OLE32(?), ref: 00884DDA

Strings

NULL Pointer assignment, xrefs: 00884E23, 00884E52

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a895925598f62dd79b19892dfcf7c00046c4ebd25d9fcce03e0276b2d50f005d
Instruction ID: ed968c7c8cfc66ea6c18c7bce62b0f8db2eae831444fee9533d4ba540e5593f5
Opcode Fuzzy Hash: a895925598f62dd79b19892dfcf7c00046c4ebd25d9fcce03e0276b2d50f005d
Instruction Fuzzy Hash: 8C91F772D0021EABDF14EFA4DC91AEEB7B9FF08314F108169E515E7291DB705A448F61

Function 008920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00892183
GetMenuItemCount.USER32(00000000), ref: 008921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008921DD
_wcslen.LIBCMT ref: 00892213
GetMenuItemID.USER32(?,?), ref: 0089224D
GetSubMenu.USER32(?,?), ref: 0089225B

Part of subcall function 00863A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00863A57
Part of subcall function 00863A3D: GetCurrentThreadId.KERNEL32 ref: 00863A5E
Part of subcall function 00863A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008625B3), ref: 00863A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008922E3

Part of subcall function 0086E97B: Sleep.KERNEL32 ref: 0086E9F3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 22399eb8f3d7b0759d82f76c61aec7ec42cf470995ce221b8efeb8a8aa5c3e1f
Instruction ID: 4d92fa966d654c6bc8a39711b8c553d35825c09009f76172920cc553753a4f76
Opcode Fuzzy Hash: 22399eb8f3d7b0759d82f76c61aec7ec42cf470995ce221b8efeb8a8aa5c3e1f
Instruction Fuzzy Hash: 92717D75A00215AFCF14EFA8C845AAEB7F5FF88310F188459E916EB351DB34ED418B91

Function 00897E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00D86458), ref: 00897F37
IsWindowEnabled.USER32(00D86458), ref: 00897F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0089801E
SendMessageW.USER32(00D86458,000000B0,?,?), ref: 00898051
IsDlgButtonChecked.USER32(?,?), ref: 00898089
GetWindowLongW.USER32(00D86458,000000EC), ref: 008980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008980C3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: d8dfc2533374672fbfef1d49be68c6b7ceae7353b592aba2db1ade029bce16ad
Instruction ID: ac1a43084f82f02fc8c35d636300eb414af27feb8d06e6adde1a14843d093b5f
Opcode Fuzzy Hash: d8dfc2533374672fbfef1d49be68c6b7ceae7353b592aba2db1ade029bce16ad
Instruction Fuzzy Hash: 37719E34608645EFEF21AF64CC94FBABBB5FF5A300F18445AE945E7261CB31A845DB20

Function 0086AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0086AEF9
GetKeyboardState.USER32(?), ref: 0086AF0E
SetKeyboardState.USER32(?), ref: 0086AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0086AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0086AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0086AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0086B020

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 46772aa6ebfdc77d957bcfd262d445d7bc8dca060d3dd798a2fa1eac60b33368
Instruction ID: 1a45f7ca0f13369298f346ddd1c0572c97435affebf1c3369f06f34e11def5d9
Opcode Fuzzy Hash: 46772aa6ebfdc77d957bcfd262d445d7bc8dca060d3dd798a2fa1eac60b33368
Instruction Fuzzy Hash: C651C4A0A047D53DFB3642348C45BBA7EE9BB06308F098489E1D5D54C3D7A9A8C4D752

Function 0086ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0086AD19
GetKeyboardState.USER32(?), ref: 0086AD2E
SetKeyboardState.USER32(?), ref: 0086AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0086ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0086ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0086AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0086AE38

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a510e0157dbdc1960cc57ff1f43958607b6c436a857a94ea6c2a5cf7768b30f5
Instruction ID: c465774dbadeeed95015bf2f9c5666a8e8384e6fd7cc08d3930bc62901b04dca
Opcode Fuzzy Hash: a510e0157dbdc1960cc57ff1f43958607b6c436a857a94ea6c2a5cf7768b30f5
Instruction Fuzzy Hash: 7351F6A16047D53DFB3B83348C95B7A7EE8FB05304F098489E1D5E68C2C295EC84DB52

Function 0083542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00843CD6,?,?,?,?,?,?,?,?,00835BA3,?,?,00843CD6,?,?), ref: 00835470
__fassign.LIBCMT ref: 008354EB
__fassign.LIBCMT ref: 00835506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00843CD6,00000005,00000000,00000000), ref: 0083552C
WriteFile.KERNEL32(?,00843CD6,00000000,00835BA3,00000000,?,?,?,?,?,?,?,?,?,00835BA3,?), ref: 0083554B
WriteFile.KERNEL32(?,?,00000001,00835BA3,00000000,?,?,?,?,?,?,?,?,?,00835BA3,?), ref: 00835584

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 85f6480d5bbf89689e68cf2fdd16f144e3844ca94a589ba05cfa7f5567e3b8cd
Instruction ID: c3c23245dc5df4f18157f56aa4ccf44873df490ac8cc342365e9b7227f9931bd
Opcode Fuzzy Hash: 85f6480d5bbf89689e68cf2fdd16f144e3844ca94a589ba05cfa7f5567e3b8cd
Instruction Fuzzy Hash: 8E51B4B1A006499FDB10CFA8D855AEEBBF9FF49300F14452AF955E7291D730AA41CBA0

Function 00822D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00822D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00822D53
_ValidateLocalCookies.LIBCMT ref: 00822DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00822E0C
_ValidateLocalCookies.LIBCMT ref: 00822E61

Strings

csm, xrefs: 00822DF6

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bc2a4bc9d79782535a748951f76bd3531c7d8250d5e6bf1205a7a971daa8c696
Instruction ID: 5d751ac84c7e3a21ee06b303162fb91c957e1d069fc9c561b5d4fb3192897462
Opcode Fuzzy Hash: bc2a4bc9d79782535a748951f76bd3531c7d8250d5e6bf1205a7a971daa8c696
Instruction Fuzzy Hash: BE41E334E0022CBBCF10DF68E844AAEBBB4FF45324F148165E814EB392D7359A81CB91

Function 008810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0088304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0088307A
Part of subcall function 0088304E: _wcslen.LIBCMT ref: 0088309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00881112
WSAGetLastError.WSOCK32 ref: 00881121
WSAGetLastError.WSOCK32 ref: 008811C9
closesocket.WSOCK32(00000000), ref: 008811F9

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: f65ef292447b5ca56599c5c0865666a5d799db97593952d32011661c7585575c
Instruction ID: d146ecc28ed8ccc679a07d3f28ba2fcefaf2e1e262a52b15193c02ad82b81cf3
Opcode Fuzzy Hash: f65ef292447b5ca56599c5c0865666a5d799db97593952d32011661c7585575c
Instruction Fuzzy Hash: 8C41D435600204AFDB10AF58CC8CBA9B7E9FF45368F148159F915EB291CB71ED42CBA1

Function 0086CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0086CF22,?), ref: 0086DDFD

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0086CF22,?), ref: 0086DE16

lstrcmpiW.KERNEL32(?,?), ref: 0086CF45
MoveFileW.KERNEL32(?,?), ref: 0086CF7F
_wcslen.LIBCMT ref: 0086D005
_wcslen.LIBCMT ref: 0086D01B
SHFileOperationW.SHELL32(?), ref: 0086D061

Strings

\*.*, xrefs: 0086CFF3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ae3d35f1d75dea3e90e17640143799b26b395aa49a0e04073981f84f91035072
Instruction ID: 24eeac3ddce2ae55ced0c895529b9b2694a897e7ea3ce00d3cd3d46e6d7d3d0f
Opcode Fuzzy Hash: ae3d35f1d75dea3e90e17640143799b26b395aa49a0e04073981f84f91035072
Instruction Fuzzy Hash: 4D4131719452189FDF12EBA4D981AEEB7B9FF08380F1100E6E545EB142EE74A688CB51

Function 00892DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00892E1C
GetWindowLongW.USER32(?,000000F0), ref: 00892E4F
GetWindowLongW.USER32(?,000000F0), ref: 00892E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00892EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00892EE0
GetWindowLongW.USER32(?,000000F0), ref: 00892EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00892F0B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5f293293884663f3da8928e27308420eec7baa2faffc106980abd68b051cfe45
Instruction ID: 779e3b29d59a75473766ddb4967e770a4ffc04e54e582855525694ed63f3ccab
Opcode Fuzzy Hash: 5f293293884663f3da8928e27308420eec7baa2faffc106980abd68b051cfe45
Instruction Fuzzy Hash: FF310035645244BFEF21EF58DCD8F693BA0FB9A710F5901A6F901CB2B2CB61A8409B51

Function 00867726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00867769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0086778F
SysAllocString.OLEAUT32(00000000), ref: 00867792
SysAllocString.OLEAUT32(?), ref: 008677B0
SysFreeString.OLEAUT32(?), ref: 008677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008677DE
SysAllocString.OLEAUT32(?), ref: 008677EC

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4966f8894ea3aa24039b86dccbec0e6af04ce8398f1eb5d1f7add0db2b63348f
Instruction ID: 46ccbd21a3cdda8f991db5caf608c4ccab9e5fb04527d078295be41d8cca1276
Opcode Fuzzy Hash: 4966f8894ea3aa24039b86dccbec0e6af04ce8398f1eb5d1f7add0db2b63348f
Instruction Fuzzy Hash: 9C21B076608219AFDF10EFA8CD88CBB77ACFF093687058026FA14DB151D674DC4187A4

Function 008677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00867842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00867868
SysAllocString.OLEAUT32(00000000), ref: 0086786B
SysAllocString.OLEAUT32 ref: 0086788C
SysFreeString.OLEAUT32 ref: 00867895
StringFromGUID2.OLE32(?,?,00000028), ref: 008678AF
SysAllocString.OLEAUT32(?), ref: 008678BD

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d593f4a6f4490da8ca712430813266c8b9dfaa0cae91972f5b77a75630ed5340
Instruction ID: 8bf87fe0a45d0534490741b6d5bdd2f07453610202ffe476e62bab9dbcec3da1
Opcode Fuzzy Hash: d593f4a6f4490da8ca712430813266c8b9dfaa0cae91972f5b77a75630ed5340
Instruction Fuzzy Hash: 63217431608208AFDB10AFB8DC88DAA77ECFB097647158135F915CB2A1D670DC81CBA8

Function 008704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0087052E

Strings

nul, xrefs: 00870567

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c168ce72a4e49dfdd979ee8dc6ca5585e9d0a860010a3501de2251a3a6aeb14a
Instruction ID: 85f7ccc1ab186cc7ac3d52a768c17dea6d555902bab5740bf7247f4369f9dcc7
Opcode Fuzzy Hash: c168ce72a4e49dfdd979ee8dc6ca5585e9d0a860010a3501de2251a3a6aeb14a
Instruction Fuzzy Hash: A0218D71500305EBDB209F69DC44A9A7BB4FF54724F248A19F8A9E62E4D771D940CF20

Function 008705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00870601

Strings

nul, xrefs: 00870639

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 84725a4570459bc5907640012be77274eeb33f3eef5e9cac33c92f1674740bde
Instruction ID: b3ede07a924707891a9dad1f99db8444e04a478c39cf7c204e8ce8e7e564a834
Opcode Fuzzy Hash: 84725a4570459bc5907640012be77274eeb33f3eef5e9cac33c92f1674740bde
Instruction Fuzzy Hash: 2521D171500305DBDB209F688C14A9A77E4FFA1724F248A1AF8A5E72E4D770D860CF20

Function 008940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0080600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0080604C
Part of subcall function 0080600E: GetStockObject.GDI32(00000011), ref: 00806060
Part of subcall function 0080600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0080606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00894112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0089411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0089412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00894139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00894145

Strings

Msctls_Progress32, xrefs: 008940E3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: dfb5eda3b5bfecac42cdbdcc4d77920a39253b27903a07ed694ee946cecf27bb
Instruction ID: 8a57dd555737af9eff6d8ce9b092905dbbe131ec7d7fda3a79a7f19fc4071c45
Opcode Fuzzy Hash: dfb5eda3b5bfecac42cdbdcc4d77920a39253b27903a07ed694ee946cecf27bb
Instruction Fuzzy Hash: 1A1190B214021DBEEF119E64CC85EE77F6DFF08798F004111BA18E2190C6729C219BA4

Function 0083D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0083D7A3: _free.LIBCMT ref: 0083D7CC

_free.LIBCMT ref: 0083D82D

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 0083D838
_free.LIBCMT ref: 0083D843
_free.LIBCMT ref: 0083D897
_free.LIBCMT ref: 0083D8A2
_free.LIBCMT ref: 0083D8AD
_free.LIBCMT ref: 0083D8B8

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: f6fb5ef22450ff740fdaf9d5dd67b24056d62e1460583c5e013fbb04b4abb9f7
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 64115E71940B14AAD621BFB4EC47FCB7BDCFF80700F400825BA99E6292DA65B50586E2

Function 0086DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0086DA74
LoadStringW.USER32(00000000), ref: 0086DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0086DA91
LoadStringW.USER32(00000000), ref: 0086DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0086DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0086DAB9

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 346fb7d4776bdcb4a2b15aef0ec6860061fd0d82493cbe7fed9850edf4275744
Instruction ID: 11a8242cfc58dc2f264f99b26a84587e3927db99b7ef1a00dbd0eb1b31506165
Opcode Fuzzy Hash: 346fb7d4776bdcb4a2b15aef0ec6860061fd0d82493cbe7fed9850edf4275744
Instruction Fuzzy Hash: 6C0162F29042187FEB11EBE49D89EEB376CF708305F440496B746E2041EA759E844F74

Function 0087096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D7F160,00D7F160), ref: 0087097B
EnterCriticalSection.KERNEL32(00D7F140,00000000), ref: 0087098D
TerminateThread.KERNEL32(?,000001F6), ref: 0087099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008709A9
CloseHandle.KERNEL32(?), ref: 008709B8
InterlockedExchange.KERNEL32(00D7F160,000001F6), ref: 008709C8
LeaveCriticalSection.KERNEL32(00D7F140), ref: 008709CF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7e3161e66e56f729f4b53baba9b72a3cde802f27c9afb211e71d9dddb2c2f173
Instruction ID: 5287ec6a31eab4b3071e8c7815ace269f8b196dff5b56b276d8664efc9e932b9
Opcode Fuzzy Hash: 7e3161e66e56f729f4b53baba9b72a3cde802f27c9afb211e71d9dddb2c2f173
Instruction Fuzzy Hash: 17F0E131446912FFD7516FA4EE8DBD6BB35FF05702F841016F201908A5C776A465CFA0

Function 00881C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00881DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00881DE1
WSAGetLastError.WSOCK32 ref: 00881DF2
htons.WSOCK32(?,?,?,?,?), ref: 00881EDB
inet_ntoa.WSOCK32(?), ref: 00881E8C

Part of subcall function 008639E8: _strlen.LIBCMT ref: 008639F2

Part of subcall function 00883224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0087EC0C), ref: 00883240

_strlen.LIBCMT ref: 00881F35

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 72c7799d3c043713553ed7e15bcc4105e439659ff796a87b58baea44a66ae2b7
Instruction ID: 6a94477ba5a39e414183c9fb1024521bc812689de8f622eff505bb8882d3a5f9
Opcode Fuzzy Hash: 72c7799d3c043713553ed7e15bcc4105e439659ff796a87b58baea44a66ae2b7
Instruction Fuzzy Hash: A8B17E31204240AFD724EB28C885E2A77A9FF84318F54855CF5569B2E2DF71ED46CB92

Function 00805D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00805D30
GetWindowRect.USER32(?,?), ref: 00805D71
ScreenToClient.USER32(?,?), ref: 00805D99
GetClientRect.USER32(?,?), ref: 00805ED7
GetWindowRect.USER32(?,?), ref: 00805EF8

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a522cdf409bd0a5148da54f5f8c3e18554f29e02c301f5719e2ce9c81f54c2ac
Instruction ID: f338ffe062ce87f223ee126d5ccf7d35454251b151bb25bbbea8cb296341697d
Opcode Fuzzy Hash: a522cdf409bd0a5148da54f5f8c3e18554f29e02c301f5719e2ce9c81f54c2ac
Instruction Fuzzy Hash: 35B16B34A0064ADBDB10CFA9C8407EEBBF1FF58314F14941AE8A9D7290DB34AA51DF64

Function 008301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008300D6
__allrem.LIBCMT ref: 008300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0083010B
__allrem.LIBCMT ref: 00830122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00830140

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: ab2114224862029fa61fb409d55ff0bf6500d53c7424a9d76b41898cd708a7be
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 62812771A00B1A9BE7249F2CDC51B6A73F8FF81724F24413AF551D6682EB74D9408BD1

Function 008361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008282D9,008282D9,?,?,?,0083644F,00000001,00000001,8BE85006), ref: 00836258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0083644F,00000001,00000001,8BE85006,?,?,?), ref: 008362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008363D8
__freea.LIBCMT ref: 008363E5

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

__freea.LIBCMT ref: 008363EE
__freea.LIBCMT ref: 00836413

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 84970da3ddfd6376ede5906d9423d9f243835972376bcb4d1ca3ce3199993731
Instruction ID: 3901a67fc305c12a6f31f4856cfa66c4151b74e3c0cee7db3d1a7e8d99d2dd1b
Opcode Fuzzy Hash: 84970da3ddfd6376ede5906d9423d9f243835972376bcb4d1ca3ce3199993731
Instruction Fuzzy Hash: AF51B072A00216BBDF259F68DC81EAF77A9FB84750F158629FC05D6241EB34DC60C6E0

Function 0088BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088BD25
RegCloseKey.ADVAPI32(00000000), ref: 0088BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0088BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0088BDF3
RegCloseKey.ADVAPI32(?), ref: 0088BDFF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 019c5832820c530270954a3cd2a58c76d4b830f971a7608507834b34863fad4e
Instruction ID: 54cc4ad74bda3abc1687bf68a2172469a435b74ff195d2c35bc4e8eec72c5d61
Opcode Fuzzy Hash: 019c5832820c530270954a3cd2a58c76d4b830f971a7608507834b34863fad4e
Instruction Fuzzy Hash: 28818170208241EFD714EF24C895E6ABBE5FF84308F14855DF5598B2A2DB31ED45CB92

Function 0085F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0085F7B9
SysAllocString.OLEAUT32(00000001), ref: 0085F860
VariantCopy.OLEAUT32(0085FA64,00000000), ref: 0085F889
VariantClear.OLEAUT32(0085FA64), ref: 0085F8AD
VariantCopy.OLEAUT32(0085FA64,00000000), ref: 0085F8B1
VariantClear.OLEAUT32(?), ref: 0085F8BB

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e8fe31c7abdcc3de1caaeb8a6858197310c840663f055da32cbf965da5a02f1e
Instruction ID: 64d25eb8801982a941e9ab963eec99098bf1cc872a2218d6227eeec8118fa53b
Opcode Fuzzy Hash: e8fe31c7abdcc3de1caaeb8a6858197310c840663f055da32cbf965da5a02f1e
Instruction Fuzzy Hash: 8A51B431600314ABCF20AB69D895B29B7A8FF45316F249467EE05DF297DB708C84C797

Function 0087910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008794E5
_wcslen.LIBCMT ref: 00879506
_wcslen.LIBCMT ref: 0087952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00879585

Strings

X, xrefs: 00879412

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ce9f06e407f7fe37832c494cd595b8284f59aca55511f34a2d823246727b78e8
Instruction ID: f68123af38646b046d9c6d758dc146355193b723b2570975122e96f4ec78ea2c
Opcode Fuzzy Hash: ce9f06e407f7fe37832c494cd595b8284f59aca55511f34a2d823246727b78e8
Instruction Fuzzy Hash: 0FE18E316083108FD764EF28C881A6AB7E4FF85314F04896DE999DB3A2DB31DD45CB92

Function 0081920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

BeginPaint.USER32(?,?,?), ref: 00819241
GetWindowRect.USER32(?,?), ref: 008192A5
ScreenToClient.USER32(?,?), ref: 008192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008192D3
EndPaint.USER32(?,?,?,?,?), ref: 00819321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008571EA

Part of subcall function 00819339: BeginPath.GDI32(00000000), ref: 00819357

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b01f510591089fe727d560a999b40b4249851a29bc4a2b73854b11f30eeea15d
Instruction ID: 790b89299192bfd7bb884bd2669afe94fe9a9a40f0e30bab9302f83a71fce754
Opcode Fuzzy Hash: b01f510591089fe727d560a999b40b4249851a29bc4a2b73854b11f30eeea15d
Instruction Fuzzy Hash: 38419F30105201AFDB11DF68DCA8FAA7BACFF55325F14026AF9A5C72A1C7319885DB62

Function 008707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0087080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00870847
EnterCriticalSection.KERNEL32(?), ref: 00870863
LeaveCriticalSection.KERNEL32(?), ref: 008708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00870921

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: bd38fc432fd606e6936c6aaaa0e95f7ca6a92df6f43affbf88a5bfa507f69968
Instruction ID: 493b6296e0e39e823a7267c98c5649e6d873d81e935fad0daf1d906e8302a42f
Opcode Fuzzy Hash: bd38fc432fd606e6936c6aaaa0e95f7ca6a92df6f43affbf88a5bfa507f69968
Instruction Fuzzy Hash: EE415871A00205EBDF14AF58DC85AAA77B8FF04300B1480A6E904DA29BD731DEA1DBA5

Function 008981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0085F3AB,00000000,?,?,00000000,?,0085682C,00000004,00000000,00000000), ref: 0089824C
EnableWindow.USER32(?,00000000), ref: 00898272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008982D1
ShowWindow.USER32(?,00000004), ref: 008982E5
EnableWindow.USER32(?,00000001), ref: 0089830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0089832F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 22cee8d1c4a2170d4b130c2e0ca26952115c26d7a8b179cbc2da89310a83c13c
Instruction ID: 2619c1dbc6f1abfe0b35f39db1054b345b66fe16ab86cea1cda1d38a39c1f744
Opcode Fuzzy Hash: 22cee8d1c4a2170d4b130c2e0ca26952115c26d7a8b179cbc2da89310a83c13c
Instruction Fuzzy Hash: 22417334601645FFDF15EF65C899BA47BE1FF0B714F5C426AE5088B262CB32A841CB50

Function 00864C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00864C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00864CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00864CEA
_wcslen.LIBCMT ref: 00864D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00864D10
_wcsstr.LIBVCRUNTIME ref: 00864D1A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: b0e3ed4ec30d6e86e7e3469f24b333d57eb99dcde5009f1ae34bd18712eb079f
Instruction ID: bb8958d0bc530fe442e6fc946c5815477a17cf0728ade4d24d2790efaebd2f58
Opcode Fuzzy Hash: b0e3ed4ec30d6e86e7e3469f24b333d57eb99dcde5009f1ae34bd18712eb079f
Instruction Fuzzy Hash: 8D212632604204BBEB566B39AC09E7F7BACFF45750F15902EF905CA192EA61CC4092A1

Function 0087581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00803AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00803A97,?,?,00802E7F,?,?,?,00000000), ref: 00803AC2

_wcslen.LIBCMT ref: 0087587B
CoInitialize.OLE32(00000000), ref: 00875995
CoCreateInstance.OLE32(0089FCF8,00000000,00000001,0089FB68,?), ref: 008759AE
CoUninitialize.OLE32 ref: 008759CC

Strings

.lnk, xrefs: 00875876, 008758C1, 00875985

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 77b808d751fda1fd3ac2b49f40fafd2f477bee18f3b5d9262486f5509f842db1
Instruction ID: c9ff52f0dff1af9a82b72581653eba5f78dc3205c1d4d8220c3d355c12f6ec95
Opcode Fuzzy Hash: 77b808d751fda1fd3ac2b49f40fafd2f477bee18f3b5d9262486f5509f842db1
Instruction Fuzzy Hash: 39D142716086019FC714DF28C880A2ABBE5FF89724F14885DF989DB3A1DB71ED45CB92

Function 0086175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00860FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00860FCA
Part of subcall function 00860FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00860FD6
Part of subcall function 00860FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00860FE5
Part of subcall function 00860FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00860FEC
Part of subcall function 00860FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00861002

GetLengthSid.ADVAPI32(?,00000000,00861335), ref: 008617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008617BA
HeapAlloc.KERNEL32(00000000), ref: 008617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008617DA
GetProcessHeap.KERNEL32(00000000,00000000,00861335), ref: 008617EE
HeapFree.KERNEL32(00000000), ref: 008617F5

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 55c2e0f477b47cf48367df6839f99b2765f2775c31fd4813d8e33bb72959dac3
Instruction ID: 46763219742df53c6c8a095246bdc68e714ded7e186e04ce11065841190cff9a
Opcode Fuzzy Hash: 55c2e0f477b47cf48367df6839f99b2765f2775c31fd4813d8e33bb72959dac3
Instruction Fuzzy Hash: 3B11BB32600205FFDF10AFA4DC49BAF7BA9FB42359F194019F481E7216D736AA40CB60

Function 008614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00861506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00861515
CloseHandle.KERNEL32(00000004), ref: 00861520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0086154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00861563

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0fb093d82ecc59c39e225fe19a9a53573fec90c0e7d99769be8a2e0acf2ed999
Instruction ID: 2b8d2bb617a0f12c0f590430dde622b85dc8bf64897051c0f06c4a48a7672565
Opcode Fuzzy Hash: 0fb093d82ecc59c39e225fe19a9a53573fec90c0e7d99769be8a2e0acf2ed999
Instruction Fuzzy Hash: 6511297250120DABDF119FA8EE49FDE7BA9FF48748F094015FA05A2161C3768E60EB61

Function 00823382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00823379,00822FE5), ref: 00823390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0082339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008233B7
SetLastError.KERNEL32(00000000,?,00823379,00822FE5), ref: 00823409

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7e808daa93e59b207c341979ede70c086fff40b4757d56df357ee953f0eb4c22
Instruction ID: 557000cc3aac745ef26544b64b00622b95b467f24e3abaabce06d7009284f42a
Opcode Fuzzy Hash: 7e808daa93e59b207c341979ede70c086fff40b4757d56df357ee953f0eb4c22
Instruction Fuzzy Hash: FE014C33208731BEA61437787CA99172AA8FB257797200229F410C03F0EF264E836154

Function 00832D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00835686,00843CD6,?,00000000,?,00835B6A,?,?,?,?,?,0082E6D1,?,008C8A48), ref: 00832D78
_free.LIBCMT ref: 00832DAB
_free.LIBCMT ref: 00832DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0082E6D1,?,008C8A48,00000010,00804F4A,?,?,00000000,00843CD6), ref: 00832DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0082E6D1,?,008C8A48,00000010,00804F4A,?,?,00000000,00843CD6), ref: 00832DEC
_abort.LIBCMT ref: 00832DF2

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: bb9beb2369e7251faff1af0041cec187a4522e3fe313516ebad6f24305e09e1d
Instruction ID: 355f7beaf1c36feb0b0caeeee28c22bec0272f6ab2d1c23599e172b45211b07d
Opcode Fuzzy Hash: bb9beb2369e7251faff1af0041cec187a4522e3fe313516ebad6f24305e09e1d
Instruction Fuzzy Hash: 07F0FC315056146FC612373DBC06F1F2A69FFC17B5F28051AF824D22D2EF75880251E2

Function 00898A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00819639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00819693
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196A2
Part of subcall function 00819639: BeginPath.GDI32(?), ref: 008196B9
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00898A4E
LineTo.GDI32(?,00000003,00000000), ref: 00898A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00898A70
LineTo.GDI32(?,00000000,00000003), ref: 00898A80
EndPath.GDI32(?), ref: 00898A90
StrokePath.GDI32(?), ref: 00898AA0

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6bc80bb2f3c491d21d05b48078dfe5db9ad3b60c9ce1187a35387a5ec71b4bf7
Instruction ID: a73fdf3c9901d4ca39625af7916b940022e3b3c258a0b49f1ab1924fc4a21bc6
Opcode Fuzzy Hash: 6bc80bb2f3c491d21d05b48078dfe5db9ad3b60c9ce1187a35387a5ec71b4bf7
Instruction Fuzzy Hash: C311C976040119FFDF12AF94DC88EAA7FADFF08354F048012FA199A1A1C7729D55DBA0

Function 008651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00865218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00865229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00865230
ReleaseDC.USER32(00000000,00000000), ref: 00865238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0086524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00865261

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a9f841e96d72ee7532204ef7abb85fa6183eb087664e3dfa06bdd092cb9da6f5
Instruction ID: 6fdb850d1eab026d11967d189bfc402b8780b8ffdda8c23ad088e833e095ad1f
Opcode Fuzzy Hash: a9f841e96d72ee7532204ef7abb85fa6183eb087664e3dfa06bdd092cb9da6f5
Instruction Fuzzy Hash: 81014475A00714BBEB106BA59C49E5EBF78FB44751F044066FA04E7381D6719800CF60

Function 00801BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00801BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00801BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00801C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00801C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00801C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00801C22

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8362c950de40bb06b6def8bad085b73c5bc3e546337088f4b9d79460d6cf91b8
Instruction ID: f29cd8a1fe5b34e6d7c621231edb51b5a2a802eecfa59f24641ad9d9ba68e9e4
Opcode Fuzzy Hash: 8362c950de40bb06b6def8bad085b73c5bc3e546337088f4b9d79460d6cf91b8
Instruction Fuzzy Hash: E10167B0902B5ABDE3009F6A8C85B52FFA8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0086EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0086EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0086EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0086EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0086EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0086EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0086EB75

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 419f5405ce3495e8ad6a8e2bf086110baf2dc2e678804333b1e6d10ac4e086a0
Instruction ID: 9201b57dd63945f8dafd864196d58a0877eb84102702076a3e4f1ad8427878c6
Opcode Fuzzy Hash: 419f5405ce3495e8ad6a8e2bf086110baf2dc2e678804333b1e6d10ac4e086a0
Instruction Fuzzy Hash: E5F05E72240158BFE7216B629C0EEEF7E7CFFCAB11F04015AF601E1191D7A25A01C6B9

Function 00857439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00857452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00857469
GetWindowDC.USER32(?), ref: 00857475
GetPixel.GDI32(00000000,?,?), ref: 00857484
ReleaseDC.USER32(?,00000000), ref: 00857496
GetSysColor.USER32(00000005), ref: 008574B0

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 53a945a2158d3a50679df2fd8889970afdb9c81cd6dc811fb988e38596c5a21a
Instruction ID: 116f7ac7e21a78615aba74cc108d7eae65a2c0d3d57f62eeb0ad55651a97c9a0
Opcode Fuzzy Hash: 53a945a2158d3a50679df2fd8889970afdb9c81cd6dc811fb988e38596c5a21a
Instruction Fuzzy Hash: 39014B31500219EFDB516FA4EC08BAA7BB5FF04312F594165FE16A21A1CB321E51AB50

Function 00861874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0086187F
UnloadUserProfile.USERENV(?,?), ref: 0086188B
CloseHandle.KERNEL32(?), ref: 00861894
CloseHandle.KERNEL32(?), ref: 0086189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008618A5
HeapFree.KERNEL32(00000000), ref: 008618AC

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3e3a7af14e382f65948396c31884867fb76e6ae922a0a9b83c0579defbc10126
Instruction ID: 6f7e61bb20a9fc6a4fd75f4d82369a55bed0279b5bcc4f6b4fbfda23d8897ee0
Opcode Fuzzy Hash: 3e3a7af14e382f65948396c31884867fb76e6ae922a0a9b83c0579defbc10126
Instruction Fuzzy Hash: A9E0E536004101BFDB016FA5EE0C90AFF39FF49B22B148222F22581170CB339420EF64

Function 0086C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0086C6EE
_wcslen.LIBCMT ref: 0086C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0086C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0086C7CA

Strings

0, xrefs: 0086C6AF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f315089e44a3fec8ffc9fb321c3c2c1f22b538b1fc247afafd7d54a59c5e6f70
Instruction ID: 24240059fe6164d37904df320a17c032e94fffea2e3227abb33cf9a2ddb671f6
Opcode Fuzzy Hash: f315089e44a3fec8ffc9fb321c3c2c1f22b538b1fc247afafd7d54a59c5e6f70
Instruction Fuzzy Hash: 1951DD71604301ABD7509F2CC889A7B77E8FF99314F050A2EF9E5D32A1DB60D8448B56

Function 0088AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0088AEA3

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

GetProcessId.KERNEL32(00000000), ref: 0088AF38
CloseHandle.KERNEL32(00000000), ref: 0088AF67

Strings

<, xrefs: 0088AE6B
@, xrefs: 0088AE72

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 1416ae74593d2e16566430451e51e3c65f4af7274dc47b5cb2ef332d2fb19b3e
Instruction ID: 2e423b416732ca7486816c152046f857a7513dc3321dfe0498c4e166f7ec223a
Opcode Fuzzy Hash: 1416ae74593d2e16566430451e51e3c65f4af7274dc47b5cb2ef332d2fb19b3e
Instruction Fuzzy Hash: AA713A75A00615DFDB14EF58C884A9EBBB4FF08314F04849AE816AB392CB75ED41CB92

Function 0086719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00867206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0086723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0086724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008672CF

Strings

DllGetClassObject, xrefs: 00867242

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 65d7e17ebb9605f306b663c12399973888a10773e07404e3535529717b2965ed
Instruction ID: a6a851a23dcbd0b9e1618737b823f9893a17ae0e2dc7b34a4ba15fb2705c356d
Opcode Fuzzy Hash: 65d7e17ebb9605f306b663c12399973888a10773e07404e3535529717b2965ed
Instruction Fuzzy Hash: 4C416C71A04204AFDB15CF54C895B9ABBA9FF44318F1680A9BD06DF30AD7B1D944CBE0

Function 00893D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00893E35
IsMenu.USER32(?), ref: 00893E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00893E92
DrawMenuBar.USER32 ref: 00893EA5

Strings

0, xrefs: 00893D89

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 68a6945f1c71aff0bd37fdadc03058e1bbf7dba2a2549a0d41791ccf3317a58a
Instruction ID: 95674fe900a3bd49f41bd9878dbe9c0076a852033b9e0e1e7891e79e805b2c04
Opcode Fuzzy Hash: 68a6945f1c71aff0bd37fdadc03058e1bbf7dba2a2549a0d41791ccf3317a58a
Instruction Fuzzy Hash: D1413575A01209AFDF10EF64D884AAEBBB9FF49354F08412AF905EB650D730AE44CF60

Function 00861DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00861E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00861E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00861EA9

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Strings

ComboBox, xrefs: 00861DF0
ListBox, xrefs: 00861E25

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 71d4e048ac147eb9cd55a5f6a2e275b97c4b7e783df389140612d7779e3b7732
Instruction ID: 33d74d91804353293a47e8b2d3d85663201c02a92c902c6c904b4289c13732d6
Opcode Fuzzy Hash: 71d4e048ac147eb9cd55a5f6a2e275b97c4b7e783df389140612d7779e3b7732
Instruction Fuzzy Hash: AE213771A00104BADF54AB68DC49DFFB7B8FF41360B194119F821E72E2DB3A89059620

Function 00892F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00892F8D
LoadLibraryW.KERNEL32(?), ref: 00892F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00892FA9
DestroyWindow.USER32(?), ref: 00892FB1

Strings

SysAnimate32, xrefs: 00892F68

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f925a5c2077abc71fb2050d18d7189caa00e4f9c3c12ef4269cad51e995fafc8
Instruction ID: ff853beb9b91ac2d8fbc6ae837b28faca394c3a1dabe3abbf7404f4c03a08eb9
Opcode Fuzzy Hash: f925a5c2077abc71fb2050d18d7189caa00e4f9c3c12ef4269cad51e995fafc8
Instruction Fuzzy Hash: 9521AC72200209BBEF21AFA4DC84EBB37B9FB99364F180629F954D2190DB71DC519760

Function 00824D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00824D1E,008328E9,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002), ref: 00824D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00824DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00824D1E,008328E9,?,00824CBE,008328E9,008C88B8,0000000C,00824E15,008328E9,00000002,00000000), ref: 00824DC3

Strings

CorExitProcess, xrefs: 00824D98
mscoree.dll, xrefs: 00824D86

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 727a88d657ea35547fc0a3a09bcfee1d86bd72247b9c8e5e1f53b5530a4ff2ad
Instruction ID: 461ae0eafe2bdd979f717f28e9951343a9524e2573f6e528fe069eff275f904a
Opcode Fuzzy Hash: 727a88d657ea35547fc0a3a09bcfee1d86bd72247b9c8e5e1f53b5530a4ff2ad
Instruction Fuzzy Hash: 2DF0AF30A00218BBDB10AF90EC09BADBBB4FF04751F0400A5F80AE2260CB325D80DEA0

Function 0085D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0085D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0085D3BF
FreeLibrary.KERNEL32(00000000), ref: 0085D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0085D3B9
X64, xrefs: 0085D2A8

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: ed6542053c9b44bce24591e9f1da03c9689c16c814789b17929c8ae8e4aa4567
Instruction ID: f7a1c17cfa7d8db1cb3743e17b00dd30a0d254dddde6de7037a478d41e329e6c
Opcode Fuzzy Hash: ed6542053c9b44bce24591e9f1da03c9689c16c814789b17929c8ae8e4aa4567
Instruction Fuzzy Hash: EEF05531806B209BCB7167208C08AAE3724FF10707F58815AFD02E6320EB30CDCCCA82

Function 00804E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00804EDD,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00804EAE
FreeLibrary.KERNEL32(00000000,?,?,00804EDD,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00804EA8
kernel32.dll, xrefs: 00804E94

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e1f01729ccd98db97a67ef13d31e34634b9038b132e2d475a5b2c2abf391efc2
Instruction ID: 01221a274247b181547ea591cbcf6705ee0d52d58622eeb5ed5db85c0302abb2
Opcode Fuzzy Hash: e1f01729ccd98db97a67ef13d31e34634b9038b132e2d475a5b2c2abf391efc2
Instruction Fuzzy Hash: F0E0CD35A415225BD3712B25FC18B5F7554FF81F7270D0116FD04D3250DB65CD0240E4

Function 00804E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00843CDE,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00804E74
FreeLibrary.KERNEL32(00000000,?,?,00843CDE,?,008D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00804E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00804E6E
kernel32.dll, xrefs: 00804E5B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c365bcc4cb5cb29de2daeb80206b08473670241b726c1055adffa40283886ef7
Instruction ID: 65923e7b17dd0d19bf4897f37aa04e4007e9ae8b4961dd3b8cf4c92fd310d03b
Opcode Fuzzy Hash: c365bcc4cb5cb29de2daeb80206b08473670241b726c1055adffa40283886ef7
Instruction Fuzzy Hash: 40D01235542621579A622B25BC18E8B7A18FF85B71389451ABA09E2294CF66CD0285D4

Function 00872947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00872C05
DeleteFileW.KERNEL32(?), ref: 00872C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00872C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00872CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00872CC0

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e8e77a37459068a2735320be213209cd29d923027c459c841ce4eaa7bb555623
Instruction ID: f8a1df50b87063e44b4819d92eec0253b08b6b26a489055cf15f4e9cac941aa4
Opcode Fuzzy Hash: e8e77a37459068a2735320be213209cd29d923027c459c841ce4eaa7bb555623
Instruction Fuzzy Hash: 83B1407190012DABDF21DBA8CC85EDEB77DFF49354F1080A6F509E6145EA31DA448F61

Function 0088A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0088A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0088A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0088A468
CloseHandle.KERNEL32(?), ref: 0088A63D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 0b32f05f7a8917aabf7d28abb3097061d7e4f4a3cb24841c2e8e468ee1ceb115
Instruction ID: e6426ef3b45441a9d948a89924b760b2941f9713f375b989ef7951768805a96e
Opcode Fuzzy Hash: 0b32f05f7a8917aabf7d28abb3097061d7e4f4a3cb24841c2e8e468ee1ceb115
Instruction Fuzzy Hash: 66A15A716043019FE724EF28C886B2AB7E5FB84714F14885DF55ADB2D2DAB1EC418B92

Function 0083BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008A3700), ref: 0083BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0083BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008D1270,000000FF,?,0000003F,00000000,?), ref: 0083BC36
_free.LIBCMT ref: 0083BB7F

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 0083BD4B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 78808f8fe39a4badb6b337e5d618daa95c542070a698e8fcc9bbd438608b50c7
Instruction ID: 11f4d6888dd28f523f513340bf6799ec37aed12f86ddb7c8d8298bba72afcbb8
Opcode Fuzzy Hash: 78808f8fe39a4badb6b337e5d618daa95c542070a698e8fcc9bbd438608b50c7
Instruction Fuzzy Hash: 5A51B9B1900219AFCB20EF699C4596AB7BCFF81360F10426BE654D7291EB315E418BD1

Function 0086E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0086CF22,?), ref: 0086DDFD

Part of subcall function 0086DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0086CF22,?), ref: 0086DE16

Part of subcall function 0086E199: GetFileAttributesW.KERNEL32(?,0086CF95), ref: 0086E19A

lstrcmpiW.KERNEL32(?,?), ref: 0086E473
MoveFileW.KERNEL32(?,?), ref: 0086E4AC
_wcslen.LIBCMT ref: 0086E5EB
_wcslen.LIBCMT ref: 0086E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0086E650

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 42f61afeae96896256ce6ba29390c28513b8939052b87735f67a6e38a3af6ded
Instruction ID: 58871bad515740df972c61a7f8086c70c9e809807bb5c839a6d237a3df2cf0d3
Opcode Fuzzy Hash: 42f61afeae96896256ce6ba29390c28513b8939052b87735f67a6e38a3af6ded
Instruction Fuzzy Hash: BE5150B25087859BC724EBA4DC819DB73DCFF85340F00492EF689D3191EE75A688876B

Function 0088B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 0088C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088B6AE,?,?), ref: 0088C9B5
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088C9F1
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA68
Part of subcall function 0088C998: _wcslen.LIBCMT ref: 0088CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0088BB63
RegCloseKey.ADVAPI32(?,?), ref: 0088BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0088BBB3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ee9f5934662237e02ae5e2825f7b038ee0251d4caf4bbdb1e94fc011e10a70c8
Instruction ID: 55bafe089434c3ad37a9c70063dc0541fa1f0253e075bc6902b866a172af52b6
Opcode Fuzzy Hash: ee9f5934662237e02ae5e2825f7b038ee0251d4caf4bbdb1e94fc011e10a70c8
Instruction Fuzzy Hash: E1619031209241EFD714EF14C891E2ABBE5FF84318F5485ADF4998B2A2DB31ED45CB92

Function 00868BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00868BCD
VariantClear.OLEAUT32 ref: 00868C3E
VariantClear.OLEAUT32 ref: 00868C9D
VariantClear.OLEAUT32(?), ref: 00868D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00868D3B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 0e82caa166a9418763fb27ca62cfbc61fdf54e04be46aa8c958bf96f057371eb
Instruction ID: 4414d903a798ce14a19b256a75aabcd5e85196441f52a1d44742fe02f1913272
Opcode Fuzzy Hash: 0e82caa166a9418763fb27ca62cfbc61fdf54e04be46aa8c958bf96f057371eb
Instruction Fuzzy Hash: E6515BB5A00219EFCB14CF58C894AAAB7F4FF89314F168559E909DB350E730E911CFA0

Function 00878AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00878BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00878BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00878C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00878C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00878C5F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 82b37ce679a11275de60c617b93c3d1a4c173b82d0fcc1962a85a15c5f7c41e2
Instruction ID: 2eaa87a1eb8fb937a621017f37f4e7732c8e99d909afc66a8b9175c34e0af4c7
Opcode Fuzzy Hash: 82b37ce679a11275de60c617b93c3d1a4c173b82d0fcc1962a85a15c5f7c41e2
Instruction Fuzzy Hash: 83515A35A00215DFDB41DF68C885AAABBF5FF48314F08C459E849AB3A2CB35ED41CB91

Function 00888EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00888F40
GetProcAddress.KERNEL32(00000000,?), ref: 00888FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00888FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00889032
FreeLibrary.KERNEL32(00000000), ref: 00889052

Part of subcall function 0081F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00871043,?,7529E610), ref: 0081F6E6
Part of subcall function 0081F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0085FA64,00000000,00000000,?,?,00871043,?,7529E610,?,0085FA64), ref: 0081F70D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f0d31f32bdb6c4c506e836e8c829aab460c5dcec4544a5c9f9097d19a470eac9
Instruction ID: c8d404985ca29488b8b8b32ff5ee970090325990aefe3218bb5fb704d95faeb5
Opcode Fuzzy Hash: f0d31f32bdb6c4c506e836e8c829aab460c5dcec4544a5c9f9097d19a470eac9
Instruction Fuzzy Hash: 1F513C35604605DFC711EF58C8848ADBBF1FF49314B4980A9E94AEB3A2DB31ED85CB91

Function 00896B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00896C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00896C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00896C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0087AB79,00000000,00000000), ref: 00896C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00896CC7

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 5fab29c8255615ffc1047340a4400bccbe542efaf59258c8f308890ec4b18ca7
Instruction ID: f64fdf5c8b87a1efe97299ae484e73a649302b46fdf341aa39d750db6501f8e3
Opcode Fuzzy Hash: 5fab29c8255615ffc1047340a4400bccbe542efaf59258c8f308890ec4b18ca7
Instruction Fuzzy Hash: E041B535604104AFDF25EF28CC58FA57BA5FB09368F190229F899E72E0E371ED61C650

Function 00832051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008320C3
_free.LIBCMT ref: 008320E3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: eb936c7e6dafc3ed120b73e32cbfd5f7e9ce05b2486ffef4630d7e5c9653b1fa
Instruction ID: 3ea980d6b5ff3d143a62876f68a99fd49434f822493b9b0b4a7fb7eeafec4b51
Opcode Fuzzy Hash: eb936c7e6dafc3ed120b73e32cbfd5f7e9ce05b2486ffef4630d7e5c9653b1fa
Instruction Fuzzy Hash: 6341D132A00614AFCB24DF78C981A5EB7B5FF89714F1545A8E616EB392DA31AD01CB81

Function 0081912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00819141
ScreenToClient.USER32(00000000,?), ref: 0081915E
GetAsyncKeyState.USER32(00000001), ref: 00819183
GetAsyncKeyState.USER32(00000002), ref: 0081919D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f8a18a3d40b03246d86934e4fe3fd325a9f7a2eb0b61eb34dae4c99f70cc102c
Instruction ID: c630ae41da15ca54f485b7f5e2858092a3a653db0de50ee80987203566d710f9
Opcode Fuzzy Hash: f8a18a3d40b03246d86934e4fe3fd325a9f7a2eb0b61eb34dae4c99f70cc102c
Instruction Fuzzy Hash: F841707190850AFBDF059F68D858BEEB778FF05324F248216E865E32D0C7346994CB51

Function 00873874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00873922
TranslateMessage.USER32(?), ref: 0087394B
DispatchMessageW.USER32(?), ref: 00873955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00873966

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 20b21a6f2f9c879028465b93ea6004df24ae5aa2185b5e136e9e7ccda79861d2
Instruction ID: 69f2d80b8e6ac1e507cecfb38ef12baaf52b8697ee356a17728bb7d9002615d7
Opcode Fuzzy Hash: 20b21a6f2f9c879028465b93ea6004df24ae5aa2185b5e136e9e7ccda79861d2
Instruction Fuzzy Hash: EA31E870505345BEEF25CB749848BB67FA8FF06304F04866AD56AC21A4D3B5D684EB13

Function 0087CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0087C21E,00000000), ref: 0087CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0087CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0087C21E,00000000), ref: 0087CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0087C21E,00000000), ref: 0087CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0087C21E,00000000), ref: 0087CFF2

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ab091066536eaf2d6725fc729f579e8b39d6eeaba3bc1c8cac0fa7b4655e4cf4
Instruction ID: 42595f9276e8d708cbbbd49a02f5775c0f02fb58b1a444be73a917afea7db949
Opcode Fuzzy Hash: ab091066536eaf2d6725fc729f579e8b39d6eeaba3bc1c8cac0fa7b4655e4cf4
Instruction Fuzzy Hash: 26317A71600209AFDB20DFA9D884AABBBF9FF14354B14842EF50AE3105DB70EE409B60

Function 00861901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00861915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008619E2

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: cdb6dc1f1e13fae8113765bd7620a542ea46213ad999791632f2713c13cb9b87
Instruction ID: 07000b490224a0339e17b7e32b6727f487284fbb0dbb0eacbbd2a4622bb942b6
Opcode Fuzzy Hash: cdb6dc1f1e13fae8113765bd7620a542ea46213ad999791632f2713c13cb9b87
Instruction Fuzzy Hash: 0C319C71A00219EFCB00CFA8C99DA9E3BB5FB04315F594229F921EB2D2C7709944CB90

Function 00895706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00895745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0089579D
_wcslen.LIBCMT ref: 008957AF
_wcslen.LIBCMT ref: 008957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00895816

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 51d42353044fe66e7f1f9169eb7da02fcd0c0dfcd9542f5f725ab55c42e381fb
Instruction ID: f5b9c938ace578cd5b9f35c239536be8e701a2367a4cce2dd483cd20020cd90c
Opcode Fuzzy Hash: 51d42353044fe66e7f1f9169eb7da02fcd0c0dfcd9542f5f725ab55c42e381fb
Instruction Fuzzy Hash: 4F218771904618AADF61AFA4DC45AED7B78FF14724F144216E929EA180D7708A85CF50

Function 0081990C Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008198CC
SetTextColor.GDI32(?,?), ref: 008198D6
SetBkMode.GDI32(?,00000001), ref: 008198E9
GetStockObject.GDI32(00000005), ref: 008198F1
GetWindowLongW.USER32(?,000000EB), ref: 00819952

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 4df2b26f64a0b2bcd44fe94779e7d54d6c22144aab42827357132b241ff23fb8
Instruction ID: edd08cf04259e11fd085113cda23531ee2179fd52488cf51ed3eeee9bc65e95b
Opcode Fuzzy Hash: 4df2b26f64a0b2bcd44fe94779e7d54d6c22144aab42827357132b241ff23fb8
Instruction Fuzzy Hash: D821E9715493909FCB224F34EC68AE53F64FF53331B18429EE9D1CA1A2D7324992CB11

Function 00880930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00880951
GetForegroundWindow.USER32 ref: 00880968
GetDC.USER32(00000000), ref: 008809A4
GetPixel.GDI32(00000000,?,00000003), ref: 008809B0
ReleaseDC.USER32(00000000,00000003), ref: 008809E8

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 666ddaab4187cd42a91d193db189dec905bd62d5cc5abb8224fe2e8e7c6c2213
Instruction ID: 24ddc06b3ed427fce788279324f2f0ccdc998c0bb8acb0eae7980a06f48d4473
Opcode Fuzzy Hash: 666ddaab4187cd42a91d193db189dec905bd62d5cc5abb8224fe2e8e7c6c2213
Instruction Fuzzy Hash: E6216236A00204AFD754EF69CC44A6EBBE5FF48704F04806DE85AD7761DB70AC44CB51

Function 0083CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0083CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0083CDE9

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0083CE0F
_free.LIBCMT ref: 0083CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0083CE31

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1ecf83134e267be958a1ab8ec3d0659f195fbe9127f1dc563e0a2f635b230173
Instruction ID: 47906e8e9fb6448645fc078262f0432a171affc6f4266a921b7fabd8a2b99c87
Opcode Fuzzy Hash: 1ecf83134e267be958a1ab8ec3d0659f195fbe9127f1dc563e0a2f635b230173
Instruction Fuzzy Hash: 9A01AC726012157F2721267AEC4CD7B7D6DFEC6BA1715012AFD05E7201DB628D0193F1

Function 00819639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00819693
SelectObject.GDI32(?,00000000), ref: 008196A2
BeginPath.GDI32(?), ref: 008196B9
SelectObject.GDI32(?,00000000), ref: 008196E2

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: fc50e24c0a6e4f6bda6225c963a709b16618b019512dc6ba53305e60c58f6d39
Instruction ID: f8acbbf54e90ce3d6e784d1905c693201d4b1afe1182f6ba24f79ea3524c2847
Opcode Fuzzy Hash: fc50e24c0a6e4f6bda6225c963a709b16618b019512dc6ba53305e60c58f6d39
Instruction Fuzzy Hash: 2A214A70802205FBDF119F68EC28BE93BA8FF20365F944317F851A61A1D3715896CBA5

Function 00865711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00865726
_memcmp.LIBVCRUNTIME ref: 00865744
_memcmp.LIBVCRUNTIME ref: 00865757
_memcmp.LIBVCRUNTIME ref: 0086576F
_memcmp.LIBVCRUNTIME ref: 00865787

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8dd3ce20c8305a485b72fc2e70ac5c694356c94a8de2b149dc9384694a3366e2
Instruction ID: 4f2fdd5d4f6534f0b8bf134b8c44b384dc103719c325c9b452861f0fcabd284b
Opcode Fuzzy Hash: 8dd3ce20c8305a485b72fc2e70ac5c694356c94a8de2b149dc9384694a3366e2
Instruction Fuzzy Hash: B101F561241619BBDA0CA514AD86FBB734DFB313A8F158020FE04EE342F725ED6082E1

Function 00832DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0082F2DE,00833863,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6), ref: 00832DFD
_free.LIBCMT ref: 00832E32
_free.LIBCMT ref: 00832E59
SetLastError.KERNEL32(00000000,00801129), ref: 00832E66
SetLastError.KERNEL32(00000000,00801129), ref: 00832E6F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2c96ed6fd8cb9f4a60b2b61f3c7f775b854dab8db4f2e0a5ab4a9762b6601972
Instruction ID: 947301319337a180b21aa59c433c480b885b843cdfbd15314ab002f15d3c9f72
Opcode Fuzzy Hash: 2c96ed6fd8cb9f4a60b2b61f3c7f775b854dab8db4f2e0a5ab4a9762b6601972
Instruction Fuzzy Hash: 560128322056006BCA1277797C47E2B2A6DFBC13B9F29012AF825E22D3EF789C0150E1

Function 0086000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?,?,0086035E), ref: 0086002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?), ref: 00860064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0085FF41,80070057,?,?), ref: 00860070

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 41ddf933db7e62f770452ed5bb3ac9770780cc649dd36b5314ac01f9a4413142
Instruction ID: 57628a0b78ac3ceb904fecdba584dbcd4eadc754075fb3e791165db0d008e2c6
Opcode Fuzzy Hash: 41ddf933db7e62f770452ed5bb3ac9770780cc649dd36b5314ac01f9a4413142
Instruction Fuzzy Hash: DD01AD72600604BFDB109F68DC08FAB7AEDFF48792F194125F905E2210E7B2DD409BA0

Function 0086E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0086E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0086E9A5
Sleep.KERNEL32(00000000), ref: 0086E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0086E9B7
Sleep.KERNEL32 ref: 0086E9F3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e087b22774ee246d068d31b237a98b6635b9969f0b03ae1c2f31f37d8bb76bde
Instruction ID: c070cbc8cae8f794cdd4a4262032e3d480a32e9efff0b0596ddd70752856c383
Opcode Fuzzy Hash: e087b22774ee246d068d31b237a98b6635b9969f0b03ae1c2f31f37d8bb76bde
Instruction Fuzzy Hash: D1011335C0162DDBCF00AFE5D859AEEBF78FF09701F460556E902F2241CB3196558BA6

Function 008610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00861114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 0086112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00860B9B,?,?,?), ref: 00861136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086114D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b44aebc25815ecd04ff4fba75697943c0fe7d1d75a5611c8b4aabe347a739b86
Instruction ID: 5589c469df15ae8b28fc05ccd579aabf5148f410a02e5a511c068a8c54e323e7
Opcode Fuzzy Hash: b44aebc25815ecd04ff4fba75697943c0fe7d1d75a5611c8b4aabe347a739b86
Instruction Fuzzy Hash: CD011D75100205BFDF125FA5DC4DA6A3B6EFF86360B59441AFA45D7360DA32DC009A60

Function 00860FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00860FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00860FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00860FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00860FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00861002

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 52e828d61acd701bbf27200e0e38060b95309b9563628da18845be03316c682a
Instruction ID: 9377d3d8f968aef56d2172e3f51397de7690730d94b5e68b0238ba165db78f03
Opcode Fuzzy Hash: 52e828d61acd701bbf27200e0e38060b95309b9563628da18845be03316c682a
Instruction Fuzzy Hash: 8AF04935200701ABDF216FA49C4DF5A3BADFF89B62F694416FA45C6261CA72DC408A70

Function 00861014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0086102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00861036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0086104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861062

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 219ea3237ad43fbcd4fd3889ef1c94ac60b3748380c60fddecf8f1605dfe07e4
Instruction ID: 34c9516ae694fc55101a9a8186fe12d0c27b26a3605fbf5a1042135130a83153
Opcode Fuzzy Hash: 219ea3237ad43fbcd4fd3889ef1c94ac60b3748380c60fddecf8f1605dfe07e4
Instruction Fuzzy Hash: 17F04935200711ABDF21AFA4EC4DF5A3BADFF89761F290416FA45C6261CA72D8408AB0

Function 0087030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870324
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870331
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 0087033E
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 0087034B
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870358
CloseHandle.KERNEL32(?,?,?,?,0087017D,?,008732FC,?,00000001,00842592,?), ref: 00870365

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9bc6a25ead70fe620dc7d9b91a473990967127ff02133b1841271fcc8da85485
Instruction ID: 073507c74a1badd152e21627b5e07a26aff391c3e20e25381eace0338b982eb3
Opcode Fuzzy Hash: 9bc6a25ead70fe620dc7d9b91a473990967127ff02133b1841271fcc8da85485
Instruction Fuzzy Hash: 0B019072800B15DFC730AF66D880412F7F5FE502153158A3FD19A92A31C371A954DE80

Function 0083D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0083D752

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 0083D764
_free.LIBCMT ref: 0083D776
_free.LIBCMT ref: 0083D788
_free.LIBCMT ref: 0083D79A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5152aa6d084eb12419cb5d78579411a5367cdccfaae5e12817497019526a7d6a
Instruction ID: 28d4117e09feea9c10ae3f1a649de5ac06ab77fea863720e22e24c7b144fdee0
Opcode Fuzzy Hash: 5152aa6d084eb12419cb5d78579411a5367cdccfaae5e12817497019526a7d6a
Instruction Fuzzy Hash: ECF01D72545318AB8621EB68F9C6E2A7FEDFB84710FA40845F448E7502CB30FC808AE5

Function 00865C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00865C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00865C6F
MessageBeep.USER32(00000000), ref: 00865C87
KillTimer.USER32(?,0000040A), ref: 00865CA3
EndDialog.USER32(?,00000001), ref: 00865CBD

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c7f9ccfa66466798887f8ffe1caac1e49a8e0109c0f55b243faf326aa9f0db39
Instruction ID: 9246395327ac5690131b2c0af9010f1d7c23cc92d7b6def722d239c514cc3d15
Opcode Fuzzy Hash: c7f9ccfa66466798887f8ffe1caac1e49a8e0109c0f55b243faf326aa9f0db39
Instruction Fuzzy Hash: 07018170600B04AFEB216B50DD5EFA67BB8FB10B05F05055EA583E10E1DBF5A9948B90

Function 008322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008322BE

Part of subcall function 008329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000), ref: 008329DE
Part of subcall function 008329C8: GetLastError.KERNEL32(00000000,?,0083D7D1,00000000,00000000,00000000,00000000,?,0083D7F8,00000000,00000007,00000000,?,0083DBF5,00000000,00000000), ref: 008329F0

_free.LIBCMT ref: 008322D0
_free.LIBCMT ref: 008322E3
_free.LIBCMT ref: 008322F4
_free.LIBCMT ref: 00832305

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d8444ba6ea7ee32c99e6be4744d8a267286f69d5785130056f581f82a78b9eab
Instruction ID: 637c81de3f7f40a188f64b7e7b09fbbf5aed84f43f65f3139067e602fb8ae1c7
Opcode Fuzzy Hash: d8444ba6ea7ee32c99e6be4744d8a267286f69d5785130056f581f82a78b9eab
Instruction Fuzzy Hash: 1DF05E748021309B8A12EF98BC01F0D3F64FB58760F11075BF818D22B5CB310812AFE5

Function 008195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008195D4
StrokeAndFillPath.GDI32(?,?,008571F7,00000000,?,?,?), ref: 008195F0
SelectObject.GDI32(?,00000000), ref: 00819603
DeleteObject.GDI32 ref: 00819616
StrokePath.GDI32(?), ref: 00819631

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 49e85247755d56e7d28a2becea84479cb15021a38980a3442c47ec8fdd413447
Instruction ID: 1b1d2465db9bfa641670957ebee65d88c963fd0f6e230c1cd0e34f773d115c8f
Opcode Fuzzy Hash: 49e85247755d56e7d28a2becea84479cb15021a38980a3442c47ec8fdd413447
Instruction Fuzzy Hash: 29F0B631006608FBDB166F65ED2C7A43F65FF11322F488316E469950F1C7318995DF24

Function 00830F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008310F9
__freea.LIBCMT ref: 00831117

Part of subcall function 00831537: _free.LIBCMT ref: 0083154F

Strings

am/pm, xrefs: 0083117A
a/p, xrefs: 008311DE

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 2b91ecf61b5decdc732d8f1057e37ecb91fbd3736417583ba28fae565b122cb4
Instruction ID: cc2f8f2664e90bd34bc34d67e9972c51c9b2775c2b7790991a870825ad30654a
Opcode Fuzzy Hash: 2b91ecf61b5decdc732d8f1057e37ecb91fbd3736417583ba28fae565b122cb4
Instruction Fuzzy Hash: 37D1CE3190020A9ADF289F68C85DBFEB7B1FF85B04F284159E901EBA51D7799D80CBD1

Function 00887B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00820242: EnterCriticalSection.KERNEL32(008D070C,008D1884,?,?,0081198B,008D2518,?,?,?,008012F9,00000000), ref: 0082024D
Part of subcall function 00820242: LeaveCriticalSection.KERNEL32(008D070C,?,0081198B,008D2518,?,?,?,008012F9,00000000), ref: 0082028A

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 008200A3: __onexit.LIBCMT ref: 008200A9

__Init_thread_footer.LIBCMT ref: 00887BFB

Part of subcall function 008201F8: EnterCriticalSection.KERNEL32(008D070C,?,?,00818747,008D2514), ref: 00820202
Part of subcall function 008201F8: LeaveCriticalSection.KERNEL32(008D070C,?,00818747,008D2514), ref: 00820235

Strings

Variable must be of type 'Object'., xrefs: 00887C3A
G, xrefs: 00887C7F
5, xrefs: 00887C78

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 2a4e3b3e1bdb05151d410b4f825aa49ac54235e282dff9323ae4ad2accb15ca9
Instruction ID: 8b3ab3c51d0ad932cd84e7348ccf2b68282fe80d4f16cbc1570dad887162c7b4
Opcode Fuzzy Hash: 2a4e3b3e1bdb05151d410b4f825aa49ac54235e282dff9323ae4ad2accb15ca9
Instruction Fuzzy Hash: 2E915970A04209EFCB14EF98D8919ADB7B2FF44304F248159F816EB292DB71EE45CB52

Function 00862716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0086B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008621D0,?,?,00000034,00000800,?,00000034), ref: 0086B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00862760

Part of subcall function 0086B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0086B3F8

Part of subcall function 0086B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0086B355
Part of subcall function 0086B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00862194,00000034,?,?,00001004,00000000,00000000), ref: 0086B365
Part of subcall function 0086B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00862194,00000034,?,?,00001004,00000000,00000000), ref: 0086B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0086281A

Strings

@, xrefs: 00862832

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 92148420507071a821d9dcd18083f241a683dfba3e443c209768d7ccdef4fa2e
Instruction ID: cde62b00fd52a8401e15d16b39ae2eaad396eebb045a7397fbab01d33c5d7e78
Opcode Fuzzy Hash: 92148420507071a821d9dcd18083f241a683dfba3e443c209768d7ccdef4fa2e
Instruction Fuzzy Hash: 4F412C72900218AEDB11DBA8CD46FEEBBB8FB09304F014099EA55B7181DB716E85CB61

Function 0083172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00831769
_free.LIBCMT ref: 00831834
_free.LIBCMT ref: 0083183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00831760, 00831767, 00831796, 008317CE

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 7f1e3f207c2d7266842f82c11cc832f7fe2851064a8150a8a901b4d924e1f261
Instruction ID: b89e4afeb9279c86abafb9c0a1a6fa091c62080ec1ee837022e7d0feea444793
Opcode Fuzzy Hash: 7f1e3f207c2d7266842f82c11cc832f7fe2851064a8150a8a901b4d924e1f261
Instruction Fuzzy Hash: AF316A75A00218BBDF21DB99DC89D9EBBBCFFC5B10F1441A6E804D7215DAB08A40CBE5

Function 0086C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0086C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0086C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008D1990,00D86638), ref: 0086C395

Strings

0, xrefs: 0086C2DF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 674a27a647fd9f94a5156ce0bfe94f18a9446d671e38249d20695e41cda7f3f3
Instruction ID: bb3d030d398ab7420b28eb2f7b797afc26f7af3cca91a8d3ec5738b6a76612e3
Opcode Fuzzy Hash: 674a27a647fd9f94a5156ce0bfe94f18a9446d671e38249d20695e41cda7f3f3
Instruction Fuzzy Hash: 5A417E312043019FD720DF29D945B6ABBA8FB85314F16861EF9A5D73D1D730E904CB62

Function 00894416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0089CC08,00000000,?,?,?,?), ref: 008944AA
GetWindowLongW.USER32 ref: 008944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008944D7

Strings

SysTreeView32, xrefs: 0089447C

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8f5c8eff0462b239375f67c1fdd211612b4b332899978896b473da3758fca003
Instruction ID: 322b0315fec66548a4903a875d687ec8a142f340534ff9a48438d0e473539c61
Opcode Fuzzy Hash: 8f5c8eff0462b239375f67c1fdd211612b4b332899978896b473da3758fca003
Instruction Fuzzy Hash: 8331AB31210605ABDF20AE78DC45FEA7BA9FB08324F285319F979E21D0D770AC519B50

Function 0088304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0088335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00883077,?,?), ref: 00883378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0088307A
_wcslen.LIBCMT ref: 0088309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00883106

Strings

255.255.255.255, xrefs: 00883095, 0088309A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 5b6b268b28f5b7ad5080102290fa8cef9159166f740b3e79e46a910935d95595
Instruction ID: 5804f7b4e5ccbea3d5ff833cbf54b99cfca343596016f8cafa95be09f013717c
Opcode Fuzzy Hash: 5b6b268b28f5b7ad5080102290fa8cef9159166f740b3e79e46a910935d95595
Instruction Fuzzy Hash: 0131D339604205DFCB10EF68C885EAA77E0FF14B18F248069E916DB392DB72EE45C761

Function 00893EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00893F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00893F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00893F78

Strings

SysMonthCal32, xrefs: 00893F0B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 074c145135646f8afd3cbfccbb34b3b275dad682fb3fbd0f0755de9bf58b7017
Instruction ID: f86130a67b65bfb9f68d2c18656c47d71e88a87420c80d90d97786b605187b8f
Opcode Fuzzy Hash: 074c145135646f8afd3cbfccbb34b3b275dad682fb3fbd0f0755de9bf58b7017
Instruction Fuzzy Hash: A2219C32600219BBDF22AF54DC46FEA3B79FF48714F150219FA15AB1D0DAB5A9508BA0

Function 00894653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00894705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00894713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0089471A

Strings

msctls_updown32, xrefs: 00894684

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: a3fad8a60a1459e869541132c1f2f1101c2874defc3a64f118dbaca3f9b491ed
Instruction ID: af5b505238f3e69d9ae8c41939227caa1fdbbc4737d916fc808705e6aea64f5c
Opcode Fuzzy Hash: a3fad8a60a1459e869541132c1f2f1101c2874defc3a64f118dbaca3f9b491ed
Instruction Fuzzy Hash: 3C216DB5600208BFEB11EF68DC91DB637ADFB5A394B440049F601D7251DB31EC12CA60

Function 008695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0086961D

Strings

#OnAutoItStartRegister, xrefs: 008695F3
#requireadmin, xrefs: 008695D9
#notrayicon, xrefs: 008695B7

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: e4cb51ec05220bd1382e8e1d1600261d0cbee35b7740fd54c4e706e70277aa9e
Instruction ID: 819f17a46fe8db817cc95932a4b4dcf3eef0458285b9f5a4cced353202b0d4a8
Opcode Fuzzy Hash: e4cb51ec05220bd1382e8e1d1600261d0cbee35b7740fd54c4e706e70277aa9e
Instruction Fuzzy Hash: CF213B72104620A6C731AA28DC06FB773DCFF61314F154025F99AD71C1EB75AD85C296

Function 008937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00893840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00893850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00893876

Strings

Listbox, xrefs: 0089380F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 12284f3358f866d370ad6361480259105c5d5c2c2bea841cc2938ca647682f5b
Instruction ID: 48b7194614a551e1c7cec0ee902601ff8d207171da5579b6b3a25bbd47290a5f
Opcode Fuzzy Hash: 12284f3358f866d370ad6361480259105c5d5c2c2bea841cc2938ca647682f5b
Instruction Fuzzy Hash: E7218E72610218BBEF21AF94CC85FBB376AFF89754F148125F915AB190C672DC528BA0

Function 008749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00874A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00874A5C
SetErrorMode.KERNEL32(00000000,?,?,0089CC08), ref: 00874AD0

Strings

%lu, xrefs: 00874A6F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 91388d2b9fd8315be06e0fc18cb26849b8362366ec3d868272e50fdf72557157
Instruction ID: 73d21f10f7c4857ccb9c8d0e8b1b3abc94ff479dcbde327d6d4149fa69d8983b
Opcode Fuzzy Hash: 91388d2b9fd8315be06e0fc18cb26849b8362366ec3d868272e50fdf72557157
Instruction Fuzzy Hash: CB311075A00119AFDB10DF58C985EAABBF8FF04308F1480A5E909DB252D775ED45CB61

Function 008941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0089424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00894264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00894271

Strings

msctls_trackbar32, xrefs: 00894226

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c782b7e664a2dfd208785bb5f43ff40a7a62464e06d9f991381c87f5b6955323
Instruction ID: c6a293f48a03ca2efdb70d77918c59460eaff007c727ffebaf92cb1361e34f61
Opcode Fuzzy Hash: c782b7e664a2dfd208785bb5f43ff40a7a62464e06d9f991381c87f5b6955323
Instruction Fuzzy Hash: 90110632240208BEEF206F69CC06FAB3BACFF95B54F110524FA55E2190D271DC629B20

Function 00862F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00806B57: _wcslen.LIBCMT ref: 00806B6A

Part of subcall function 00862DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00862DC5
Part of subcall function 00862DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00862DD6
Part of subcall function 00862DA7: GetCurrentThreadId.KERNEL32 ref: 00862DDD
Part of subcall function 00862DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00862DE4

GetFocus.USER32 ref: 00862F78

Part of subcall function 00862DEE: GetParent.USER32(00000000), ref: 00862DF9

GetClassNameW.USER32(?,?,00000100), ref: 00862FC3
EnumChildWindows.USER32(?,0086303B), ref: 00862FEB

Strings

%s%d, xrefs: 00862FFF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a64d52044c51b9c185e8bd47dbb2fca7eea8fcb34b8a411e2e22c7188d945cc9
Instruction ID: 6a0ee3667d2606ae025ace1824ceb2e6bf7cc18ea7484d81232bdf5291376b9a
Opcode Fuzzy Hash: a64d52044c51b9c185e8bd47dbb2fca7eea8fcb34b8a411e2e22c7188d945cc9
Instruction Fuzzy Hash: 6711D5B12002096BCF417F64CC95FED376AFF94314F0440B9B909DB292DE3199498B61

Function 00895882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008958EE
DrawMenuBar.USER32(?), ref: 008958FD

Strings

0, xrefs: 0089588F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2b36e55ee35cd76e4af76ff643dc97e9b4a4704937bb3e3132644d4e5ce494d5
Instruction ID: 662c36e1d7709ad8a816172cae2388d9feb4db9f40fe62ed0e8c05936bd76764
Opcode Fuzzy Hash: 2b36e55ee35cd76e4af76ff643dc97e9b4a4704937bb3e3132644d4e5ce494d5
Instruction Fuzzy Hash: 46016131500218EFDF51AF15EC44BAEBBB8FF45760F188099F949DA151DB308A84DF21

Function 0086007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a124d5e145415c16dd382b455f940d042e7b7a48687c5e48283dd983e40cb487
Instruction ID: 37902387b3fc9c1409a3920dea4062983d8ca2f06a29522b04aa0859364cb88a
Opcode Fuzzy Hash: a124d5e145415c16dd382b455f940d042e7b7a48687c5e48283dd983e40cb487
Instruction Fuzzy Hash: DFC14875A0020AAFDB15CFA8C894BAEB7B5FF48305F218598E505EB351D731EE41CB94

Function 00833E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00833F0B
__alldvrm.LIBCMT ref: 0083410C
__alldvrm.LIBCMT ref: 0083412E

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 2f515113cf7101786f8cc26bf7ad934458c31174d38ea7ac0c63882aa456002e
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: AAA14872E00B869FDB25CF28C8917AEBBE4FFA1354F14416DE585DB281C638A981C7D1

Function 0088342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00883459
CoUninitialize.OLE32 ref: 00883463
VariantInit.OLEAUT32(?), ref: 0088346E
VariantClear.OLEAUT32(?), ref: 0088371B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 82b195f76f5eb76dd22457257e596cf3f174a769ed09783fd7e3ef1a84267bac
Instruction ID: 2030df8845041f95da0d96ce43007a58071cd48aec405e3aa7c274656357db55
Opcode Fuzzy Hash: 82b195f76f5eb76dd22457257e596cf3f174a769ed09783fd7e3ef1a84267bac
Instruction Fuzzy Hash: F0A12C756043019FC710EF28C985A6AB7E5FF88714F048859F98ADB3A2DB71EE41CB52

Function 00860436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0089FC08,?), ref: 008605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0089FC08,?), ref: 00860608
CLSIDFromProgID.OLE32(?,?,00000000,0089CC40,000000FF,?,00000000,00000800,00000000,?,0089FC08,?), ref: 0086062D
_memcmp.LIBVCRUNTIME ref: 0086064E

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: b5d58d11281a23afeb74fe69b4946732167255e7fcde13568227abe8a6bbb9b1
Instruction ID: fae24145e5c16cd9f24c6c5e85053d6982a3af8d9e668c3984d2673229fccce4
Opcode Fuzzy Hash: b5d58d11281a23afeb74fe69b4946732167255e7fcde13568227abe8a6bbb9b1
Instruction Fuzzy Hash: 1E810771A00209AFCB04DF94C988EEEB7B9FF89315F214558E506EB250DB71AE06CF64

Function 0088A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0088A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0088A6BA

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Process32NextW.KERNEL32(00000000,?), ref: 0088A79C
CloseHandle.KERNEL32(00000000), ref: 0088A7AB

Part of subcall function 0081CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00843303,?), ref: 0081CE8A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 295dab88255c5e0ac117444f00ba08c8b30d8b7f15e17150cccf523c5da8baf0
Instruction ID: ba083f29aab7e8c95c1382f5c5d8a38e215a94b948e723975d3fecd015b91d1b
Opcode Fuzzy Hash: 295dab88255c5e0ac117444f00ba08c8b30d8b7f15e17150cccf523c5da8baf0
Instruction Fuzzy Hash: 965118715083019FD754EF28C886A6BBBE8FF89754F00892DF585D7292EB70D904CB92

Function 00841391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008414C0

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6ac7d2a17e89899b7b32bd03a8aa5652b45ef123e6844fee17460c683761c134
Instruction ID: 4275f61880635cfd59fb4fde28ada4b445fe1e8fbe8f26715e4d371aadde1a29
Opcode Fuzzy Hash: 6ac7d2a17e89899b7b32bd03a8aa5652b45ef123e6844fee17460c683761c134
Instruction Fuzzy Hash: E9412C31A0011CABDF217BBD9C49AAE3AB6FF42370F144225F519D6292E77448C196A7

Function 00896278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008962E2
ScreenToClient.USER32(?,?), ref: 00896315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00896382

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b82fb5b5826d88d7f20ee03d42aa81d2e5819ee130c10c3756efeb47e303cbd1
Instruction ID: de1d560f90dcd03baa5e4f2b34739c4817fa72a227610e47e9668f95bb415026
Opcode Fuzzy Hash: b82fb5b5826d88d7f20ee03d42aa81d2e5819ee130c10c3756efeb47e303cbd1
Instruction Fuzzy Hash: 8C512A74A00209AFDF10EF68D8909AE7BB5FF45360F14826AF815DB290E731AD91DB50

Function 00881AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00881AFD
WSAGetLastError.WSOCK32 ref: 00881B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00881B8A
WSAGetLastError.WSOCK32 ref: 00881B94

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: a4beb9041e71e2c3263480c8dde84c43131ebfaf10aca5de522992ba3efeb59e
Instruction ID: 91d999376dcbdcd68f6bc4ad817a03bf3c5187cd2f1ac3f2d25a6c534b77f577
Opcode Fuzzy Hash: a4beb9041e71e2c3263480c8dde84c43131ebfaf10aca5de522992ba3efeb59e
Instruction Fuzzy Hash: FE4160746002006FEB20AF28C886F6577E5FB44718F548558F51ADF3D2DA72DD828B91

Function 0083B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b58be1daac30fcb4dc9668e6a14f0d654524aeb3310222dec4a12f17077d6a9
Instruction ID: cbcdcd003b52a90d12bb4d9b9bc3cf5dbbb95c8283ddcb1950d7d8f4c52e0493
Opcode Fuzzy Hash: 0b58be1daac30fcb4dc9668e6a14f0d654524aeb3310222dec4a12f17077d6a9
Instruction Fuzzy Hash: 054104B5A00318AFD7249F7CCC41BAABBA9FBC8720F10852AF241DB682D771994187C5

Function 008756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00875783
GetLastError.KERNEL32(?,00000000), ref: 008757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008757FA

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 41e32aadbb30920ec7ce270c2d6fae889afdd8cc3ad901bc754c71417821411f
Instruction ID: a5b2dda8c6b092f567663782a24c170b67991b61713a3af8cec20801b746e20c
Opcode Fuzzy Hash: 41e32aadbb30920ec7ce270c2d6fae889afdd8cc3ad901bc754c71417821411f
Instruction Fuzzy Hash: 12412F35600610DFCB11EF59C944A5EBBE1FF49320B19C498E84A9B3A6CB75FD40CB92

Function 0083D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00826D71,00000000,00000000,008282D9,?,008282D9,?,00000001,00826D71,8BE85006,00000001,008282D9,008282D9), ref: 0083D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0083D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0083D9AB
__freea.LIBCMT ref: 0083D9B4

Part of subcall function 00833820: RtlAllocateHeap.NTDLL(00000000,?,008D1444,?,0081FDF5,?,?,0080A976,00000010,008D1440,008013FC,?,008013C6,?,00801129), ref: 00833852

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3c37ad76c3bebf746788f84bf08fe78b6556e2d84097e570c65b8706c7ab29c7
Instruction ID: 3d7942a413fcebec472e03e41162bc5252c0285a973aaaf8546fa41562fe00fa
Opcode Fuzzy Hash: 3c37ad76c3bebf746788f84bf08fe78b6556e2d84097e570c65b8706c7ab29c7
Instruction Fuzzy Hash: 4C31CD72A0021AABDF259F69EC45EAE7BA5FB80310F050168FC04DB250EB35CD50CBE0

Function 008952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00895352
GetWindowLongW.USER32(?,000000F0), ref: 00895375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00895382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008953A8

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: a6b2d6c39f32eceac37457dc8f0bc61154a1f6ce9c045a9e6df374c64538f038
Instruction ID: 25e4b9972b9a3d8a2ec8b5b039c5cdc937f0280b3d604f512d1fe3ed67767379
Opcode Fuzzy Hash: a6b2d6c39f32eceac37457dc8f0bc61154a1f6ce9c045a9e6df374c64538f038
Instruction Fuzzy Hash: 5D31CF34A55A0CEFEF22BA54CC15BE97765FB06390F5C4102FA11D63E1C7B19980BB42

Function 0086AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0086ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0086AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0086AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0086ACC6

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b06043590e8686e1a10b97054ac7d59a61860b15abf239b87057323c9e9b4671
Instruction ID: aa8f958111d47c826776497e0ffbb549152acd52d0109538d5587b16557520b5
Opcode Fuzzy Hash: b06043590e8686e1a10b97054ac7d59a61860b15abf239b87057323c9e9b4671
Instruction Fuzzy Hash: 50310630A00618AFEF39CB69CC05BFA7BA9FB89310F09431AE485E61D1C37599859B53

Function 00897674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0089769A
GetWindowRect.USER32(?,?), ref: 00897710
PtInRect.USER32(?,?,00898B89), ref: 00897720
MessageBeep.USER32(00000000), ref: 0089778C

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d78d9d33785ecaf5e966adce49508d2f4447e236e22e8b50c98243d63f7935c9
Instruction ID: 1241753c1698f5aa440d3bd02bcb1abaf11708a56d469cc7bd1313b8070d091e
Opcode Fuzzy Hash: d78d9d33785ecaf5e966adce49508d2f4447e236e22e8b50c98243d63f7935c9
Instruction Fuzzy Hash: F1419A34A19254FFDF01EF98C898EA9BBF4FF89304F5941A9E814DB261C331A941CB90

Function 008916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008916EB

Part of subcall function 00863A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00863A57
Part of subcall function 00863A3D: GetCurrentThreadId.KERNEL32 ref: 00863A5E
Part of subcall function 00863A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008625B3), ref: 00863A65

GetCaretPos.USER32(?), ref: 008916FF
ClientToScreen.USER32(00000000,?), ref: 0089174C
GetForegroundWindow.USER32 ref: 00891752

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d713fc50b632530461b2692ba9e966b87ae53e3d3b7caf5dc6e43bed60ec6145
Instruction ID: a2e83ad5022668c956182ce52d8562387c45f25b7d12ae48008350b30884a614
Opcode Fuzzy Hash: d713fc50b632530461b2692ba9e966b87ae53e3d3b7caf5dc6e43bed60ec6145
Instruction Fuzzy Hash: 00313075D00149AFDB00EFA9C885CAEBBF9FF48304B5480AAE415E7251EB31DE45CBA1

Function 0086DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

_wcslen.LIBCMT ref: 0086DFCB
_wcslen.LIBCMT ref: 0086DFE2
_wcslen.LIBCMT ref: 0086E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0086E018

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: fc0b072f4bca61633e6e6be9dca88bf2e37a8d8998590002ddb72931abed1583
Instruction ID: b9580ced354b28b545313640730c9e629faa275d0524ce7aa89210170ae1ea71
Opcode Fuzzy Hash: fc0b072f4bca61633e6e6be9dca88bf2e37a8d8998590002ddb72931abed1583
Instruction Fuzzy Hash: CA21D675D00614EFCB10DFA8D881BAEBBF8FF45750F154065E905FB242D6B09D818BA2

Function 00898FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

GetCursorPos.USER32(?), ref: 00899001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00857711,?,?,?,?,?), ref: 00899016
GetCursorPos.USER32(?), ref: 0089905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00857711,?,?,?), ref: 00899094

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bab5037c7b682ab12b89b7640d540bc70e6d462e3f3a5c6eb069c3535c93917d
Instruction ID: ad60f25838247e32d7907ec14cd123c06d4c72281b393e8ae2158fd566dc5d1d
Opcode Fuzzy Hash: bab5037c7b682ab12b89b7640d540bc70e6d462e3f3a5c6eb069c3535c93917d
Instruction Fuzzy Hash: F1218D35600418FFCF25AF99CC58EEA7BB9FF49360F09416AF95587261C33299A0DB60

Function 0086D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0089CB68), ref: 0086D2FB
GetLastError.KERNEL32 ref: 0086D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0086D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0089CB68), ref: 0086D376

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9bba62d7fd773695897fdefd69567ca4095d7f852317cf510fd76a20eee71ff3
Instruction ID: 5f7be83541876c4be11a68fbcb6c2df4a6fda754e2bcba3697bcaa90ccbe0a58
Opcode Fuzzy Hash: 9bba62d7fd773695897fdefd69567ca4095d7f852317cf510fd76a20eee71ff3
Instruction Fuzzy Hash: F7218D70A083019FC710EF28C98186A77E8FE56328F554A1EF4A9C73E1E7319946CB93

Function 00861571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00861014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0086102A
Part of subcall function 00861014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00861036
Part of subcall function 00861014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861045
Part of subcall function 00861014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0086104C
Part of subcall function 00861014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00861062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008615BE
_memcmp.LIBVCRUNTIME ref: 008615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00861617
HeapFree.KERNEL32(00000000), ref: 0086161E

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bf725af4a2ebb4187c1e20de9b47e4fb43480aaeefca1ba092ba7b3128a6e9e2
Instruction ID: b0e36e3fc92bd6b443b6c9305953043f88603717fc9e0d949920b5411caa44d8
Opcode Fuzzy Hash: bf725af4a2ebb4187c1e20de9b47e4fb43480aaeefca1ba092ba7b3128a6e9e2
Instruction Fuzzy Hash: 87216631E00108AFDF00DFA8C94ABEEB7B8FF54354F1A4459E441EB242E731AA05CBA0

Function 00892782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0089280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00892824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00892832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00892840

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 61748d6c541293d2efb321a8a6ad9f342f0773635b32e17ef4863c493f94a95e
Instruction ID: 6bfb5443dda7ac89b470ffb5aba7dea9be339d489462c221e4366cfe6fd59ac2
Opcode Fuzzy Hash: 61748d6c541293d2efb321a8a6ad9f342f0773635b32e17ef4863c493f94a95e
Instruction Fuzzy Hash: 6221AE31204115BFDB14AB28CC44FAA7B95FF45328F188259F426DB6E2CB71EC42C791

Function 008678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00868D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0086790A,?,000000FF,?,00868754,00000000,?,0000001C,?,?), ref: 00868D8C
Part of subcall function 00868D7D: lstrcpyW.KERNEL32(00000000,?,?,0086790A,?,000000FF,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00868DB2
Part of subcall function 00868D7D: lstrcmpiW.KERNEL32(00000000,?,0086790A,?,000000FF,?,00868754,00000000,?,0000001C,?,?), ref: 00868DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00867923
lstrcpyW.KERNEL32(00000000,?,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00867949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00868754,00000000,?,0000001C,?,?,00000000), ref: 00867984

Strings

cdecl, xrefs: 0086797B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 4a928fc64533ea1580482d38d24f1e527b9fe073778d193c5fe6ad5a1a8a70e9
Instruction ID: 06b1211184ea564ee6da46711cdc77693269974dd96599a571038b8fa8a4b678
Opcode Fuzzy Hash: 4a928fc64533ea1580482d38d24f1e527b9fe073778d193c5fe6ad5a1a8a70e9
Instruction Fuzzy Hash: FA11293A200301ABCB156F38C844D7A7BE9FF85354B40402AF906CB364EB35D811C7A1

Function 00897CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00897D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00897D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00897D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0087B7AD,00000000), ref: 00897D6B

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 8a6574157d49d378d336abb5c20dd92fbe8086262c8cef9371529988eb04d335
Instruction ID: 06ee91184c9b10692f92cfc1d1fbc258c7ba82fc7e43459d784c2ab5d36351ea
Opcode Fuzzy Hash: 8a6574157d49d378d336abb5c20dd92fbe8086262c8cef9371529988eb04d335
Instruction Fuzzy Hash: 8011AC71225614AFCF10AF68CC08AA63BA4FF45364F194329F839C72E0D7318D51CB50

Function 00895660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008956BB
_wcslen.LIBCMT ref: 008956CD
_wcslen.LIBCMT ref: 008956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00895816

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: be75a1d77ea79fd23bb5edc63e807c93ac73b7f3c87fb81080590bcbbea1cf64
Instruction ID: a02577e062458b893fe0bad38fe8d1206af3175d1705751defdabb2310a80124
Opcode Fuzzy Hash: be75a1d77ea79fd23bb5edc63e807c93ac73b7f3c87fb81080590bcbbea1cf64
Instruction Fuzzy Hash: FA11E671600618A6DF22FF65DC85AEE7BBCFF11764F18412AF915E6181E770CA80CB64

Function 00831D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50829d5884532785e36751cc57682c3454854e42dbd28e1bf8528f2efef54520
Instruction ID: 4f4f68f1d692fd71fd756d2fd14f8cfb34fdc76f980a88da9a62a92390f7fa21
Opcode Fuzzy Hash: 50829d5884532785e36751cc57682c3454854e42dbd28e1bf8528f2efef54520
Instruction Fuzzy Hash: 3B016DB220961A7EFA212A787CC5F676B1DFFC2BB8F341326F521E11D2DB619C0051A1

Function 00861A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00861A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00861A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00861A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00861A8A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 451215b0319d7c720ccd5b2b37f408e281a6c0af4ef66e933a2940da8ec69673
Instruction ID: 72f839c25688f10a385da1c96a4b29517dd0ae223be39bf4003bb1d42164dffa
Opcode Fuzzy Hash: 451215b0319d7c720ccd5b2b37f408e281a6c0af4ef66e933a2940da8ec69673
Instruction Fuzzy Hash: E211273A901229FFEF11DBA4C985FADBB78FB08750F250492EA04B7290D7716E50DB94

Function 0086E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0086E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0086E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0086E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0086E24D

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f0d4183d727c6c36b60acd93e7315f330a4932e6756472727a5945ed6775c0e2
Instruction ID: e62af0aa33605046fcd293bcaad68a9f82f58d9aa986a0e3afde2d3366fe8da5
Opcode Fuzzy Hash: f0d4183d727c6c36b60acd93e7315f330a4932e6756472727a5945ed6775c0e2
Instruction Fuzzy Hash: 42110476904218BBCB05AFA8AC09A9E7FADFF45320F044316F824E3390D3B58A0487A0

Function 0082D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0082CFF9,00000000,00000004,00000000), ref: 0082D218
GetLastError.KERNEL32 ref: 0082D224
__dosmaperr.LIBCMT ref: 0082D22B
ResumeThread.KERNEL32(00000000), ref: 0082D249

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d8e6b161935999bc92f513e89511a1ef77cb1392516f91e4ae20525c4cdad1d2
Instruction ID: e9049dd7208509d9427e6897d0c82120cd7b14c7d5c4ca12d8a3eca22a0fa2fb
Opcode Fuzzy Hash: d8e6b161935999bc92f513e89511a1ef77cb1392516f91e4ae20525c4cdad1d2
Instruction Fuzzy Hash: 0E01D636405328FBDB116BA9EC09BAE7E69FF81330F10422AF925D21D1CF719981C6A1

Function 00899EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00819BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00819BB2

GetClientRect.USER32(?,?), ref: 00899F31
GetCursorPos.USER32(?), ref: 00899F3B
ScreenToClient.USER32(?,?), ref: 00899F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00899F7A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0267a0dfc20233d34c0be89947ca92f0d4160a4d136feffa5e8cc7e98bb8ecf6
Instruction ID: 3218d1c87f1b5fb4da985aed47344a41cd06f06c95938e0952251fb7ec32e864
Opcode Fuzzy Hash: 0267a0dfc20233d34c0be89947ca92f0d4160a4d136feffa5e8cc7e98bb8ecf6
Instruction Fuzzy Hash: 1411063290051ABBDF10EFA8D8499EEB7B9FF45311F48055AF952E3150DB31BA81CBA1

Function 0080600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0080604C
GetStockObject.GDI32(00000011), ref: 00806060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0080606A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 237d64e4dc6f2d5b80beec6054107cd9759d6b1e2fd430e2709a7d1bdcd990f4
Instruction ID: e0441524981d65e31eb4fe6c346e1b43fb8817aaadd5f0857719a551987d1fe8
Opcode Fuzzy Hash: 237d64e4dc6f2d5b80beec6054107cd9759d6b1e2fd430e2709a7d1bdcd990f4
Instruction Fuzzy Hash: 64115E72541909BFEF525F949C54EEA7BA9FF18364F040216FA14A2150D7329C709BA0

Function 00823B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00823B56

Part of subcall function 00823AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00823AD2
Part of subcall function 00823AA3: ___AdjustPointer.LIBCMT ref: 00823AED

_UnwindNestedFrames.LIBCMT ref: 00823B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00823B7C
CallCatchBlock.LIBVCRUNTIME ref: 00823BA4

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 57a96f9d232351bcea7ec44e1662ae2104662810588e166a296c8736f95da79f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: B1012932100158BBDF126E99EC42EEB3F6AFF48764F044014FE48A6121C736E9A1DBB1

Function 00833073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008013C6,00000000,00000000,?,0083301A,008013C6,00000000,00000000,00000000,?,0083328B,00000006,FlsSetValue), ref: 008330A5
GetLastError.KERNEL32(?,0083301A,008013C6,00000000,00000000,00000000,?,0083328B,00000006,FlsSetValue,008A2290,FlsSetValue,00000000,00000364,?,00832E46), ref: 008330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0083301A,008013C6,00000000,00000000,00000000,?,0083328B,00000006,FlsSetValue,008A2290,FlsSetValue,00000000), ref: 008330BF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ba0863dc0c575703941acad85aa65f15ba1969855ef1e78dcaa9738ef18ca620
Instruction ID: 6c08a87d50c75a396330122b30597291aa7779989be873d6c845ffe6ec742e8c
Opcode Fuzzy Hash: ba0863dc0c575703941acad85aa65f15ba1969855ef1e78dcaa9738ef18ca620
Instruction Fuzzy Hash: 82012B32301A26ABCB354BB8AC94A577B98FF85B71F240721F905E7150C722D901C6E0

Function 00867464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0086747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00867497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008674CA

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 191a84fa1b27d70f5a69a27d85bcc563d48397bcecf85d1662bec409b5c26c17
Instruction ID: 4f07bd7e1c89738e8567621334a30edc0bcaf40f63d8cdfb301dde3fdaad68ae
Opcode Fuzzy Hash: 191a84fa1b27d70f5a69a27d85bcc563d48397bcecf85d1662bec409b5c26c17
Instruction Fuzzy Hash: CF11EDB0205305ABE7209F14ED0CB927BFCFB00B08F10816AE616D6091DBB1E904CBE4

Function 0086B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0086ACD3,?,00008000), ref: 0086B126

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f6c74dadd2710573b1c159377a5c31fadf0222e76ffaae897505c95b9ebcc7bb
Instruction ID: 8ed625704996127aaf883266451de57a698d24dfa44a335e8fdc21b2c3e191b3
Opcode Fuzzy Hash: f6c74dadd2710573b1c159377a5c31fadf0222e76ffaae897505c95b9ebcc7bb
Instruction Fuzzy Hash: E9116131C0151DEBCF00AFE4E9596EEBF78FF4A715F124086D941F2145DB3095908B55

Function 00897E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00897E33
ScreenToClient.USER32(?,?), ref: 00897E4B
ScreenToClient.USER32(?,?), ref: 00897E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00897E8A

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 43126736beebe8cbd66e7b607bc484445fcc169ad4ea8cbcaac8cedef8295438
Instruction ID: c2fad51a09b8545a5c1a7365651bcc8cb0d8a931df1c43e5286267066b3e807e
Opcode Fuzzy Hash: 43126736beebe8cbd66e7b607bc484445fcc169ad4ea8cbcaac8cedef8295438
Instruction Fuzzy Hash: 781142B9D0024AAFDB41DF98C884AEEBBF9FF18310F549066E915E3210D735AA54CF90

Function 00862DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00862DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00862DD6
GetCurrentThreadId.KERNEL32 ref: 00862DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00862DE4

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3bbc4af23fb6969083679893f592decf53432d37e323752289e40880dfe3b0e3
Instruction ID: 7f4d1dd98cef51dab3f825fa3cdeebf3abbce7582079d21d20d0bc118169e8ea
Opcode Fuzzy Hash: 3bbc4af23fb6969083679893f592decf53432d37e323752289e40880dfe3b0e3
Instruction Fuzzy Hash: 1FE092B11016287BDB202B739C0DFEB3E6CFF52BA1F45055AF106D10909AA2C840C6B0

Function 00898863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00819639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00819693
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196A2
Part of subcall function 00819639: BeginPath.GDI32(?), ref: 008196B9
Part of subcall function 00819639: SelectObject.GDI32(?,00000000), ref: 008196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00898887
LineTo.GDI32(?,?,?), ref: 00898894
EndPath.GDI32(?), ref: 008988A4
StrokePath.GDI32(?), ref: 008988B2

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 875e789f8608da76eaf419c8e919eec827795199dee94b5204ffdd31a0a86b9d
Instruction ID: 7b922cdc4c534b7fb871ba14ef656f66f4f30b1cb535a229a5bebe303eed893e
Opcode Fuzzy Hash: 875e789f8608da76eaf419c8e919eec827795199dee94b5204ffdd31a0a86b9d
Instruction Fuzzy Hash: 4BF03A36042659FADF127F94AC0DFCA3F59BF06310F488102FA11A50E1C7765551CBB9

Function 008198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008198CC
SetTextColor.GDI32(?,?), ref: 008198D6
SetBkMode.GDI32(?,00000001), ref: 008198E9
GetStockObject.GDI32(00000005), ref: 008198F1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 97ffb403a42fcb46453fd1009a5442cdb8d23d839c9651d44c653eb2ed29ea68
Instruction ID: 50fffd5f3a35eb52083ccec8e3cf2c603429e597713bd657bf6c6ee831a1c7cb
Opcode Fuzzy Hash: 97ffb403a42fcb46453fd1009a5442cdb8d23d839c9651d44c653eb2ed29ea68
Instruction Fuzzy Hash: 19E06531244240ABDB216B74BC09BD83F10FB11336F08C21AF7FA940E1C77246449B10

Function 0086162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00861634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008611D9), ref: 0086163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008611D9), ref: 00861648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008611D9), ref: 0086164F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: af96083f4ee5a5954e4a1b4e5732535c16f90606ec955e242e4d8fadc7029e2a
Instruction ID: 132fc47aebb1da762e8ec8f610bd99aa8a68bbf17e103d922ab1a52981c61662
Opcode Fuzzy Hash: af96083f4ee5a5954e4a1b4e5732535c16f90606ec955e242e4d8fadc7029e2a
Instruction Fuzzy Hash: BBE08C36602211EBDB202FE1AE0EB863B7CFF54792F1D880AF245C9080E6358440CB60

Function 0085D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0085D858
GetDC.USER32(00000000), ref: 0085D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0085D882
ReleaseDC.USER32(?), ref: 0085D8A3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8e1889562a010ce147d0f3ecb67a6040ae95fc013926f88f20c9204d386840d4
Instruction ID: 3ddd6da0ec06de87f3a537d7b80321c8b514de4f082c354e86a01086b273d8a1
Opcode Fuzzy Hash: 8e1889562a010ce147d0f3ecb67a6040ae95fc013926f88f20c9204d386840d4
Instruction Fuzzy Hash: A0E01AB1800205DFCF42AFA0D80866DBBB5FB18311F18841AE806E7250CB3A9945AF51

Function 0085D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0085D86C
GetDC.USER32(00000000), ref: 0085D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0085D882
ReleaseDC.USER32(?), ref: 0085D8A3

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5841a565cbdcce25d4502059b02644b5be764c9a86b4818a9b2b33b9f2c1c475
Instruction ID: 21eb97bb661c07369737cd54813e66b12010b6e2ebcd9800c521f8d48ed3022d
Opcode Fuzzy Hash: 5841a565cbdcce25d4502059b02644b5be764c9a86b4818a9b2b33b9f2c1c475
Instruction Fuzzy Hash: 7DE012B1800204EFCF42AFA0D80866DBBB5FB18310F18800AE80AE7250CB3A9901AF50

Function 00874D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00807620: _wcslen.LIBCMT ref: 00807625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00874ED4

Strings

LPT, xrefs: 00874DFB
*, xrefs: 00874E10

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 13d0a834c8908c37b035b9abbdc6176fb169576c27523a4fed0ff6b8a412265c
Instruction ID: 560f95e09a76289c108a649241d84148fabda621ff3eff7c12c9ca592cba90d8
Opcode Fuzzy Hash: 13d0a834c8908c37b035b9abbdc6176fb169576c27523a4fed0ff6b8a412265c
Instruction Fuzzy Hash: D8914C75A002049FCB14DF58C884EA9BBF1FF44318F19D099E40A9B3A6DB71ED85CB91

Function 0082E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0082E30D

Strings

pow, xrefs: 0082E2E5, 0082E302

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 9d6b3abadc9c9bae251832981583a67e3a6802af8d40b2f9ac69096d289436b6
Instruction ID: cdecedc928b9e3e0eea04b37a48fc4cd4ada1bebd842e984ce279fb5c1468b71
Opcode Fuzzy Hash: 9d6b3abadc9c9bae251832981583a67e3a6802af8d40b2f9ac69096d289436b6
Instruction Fuzzy Hash: B2515CA1A0C10696DB35B718E9053793B94FF80B41F304968E496C27EDDF35CCD19ACA

Function 0081E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0081E1B1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 587d8d732d646f83363f8288656b6e54f3b3dca3a07d35d8054798e34c02510d
Instruction ID: 30da81b18b43c44b5224f22af6b4fc4c2b3a2a1c1b454008d1a1e704167722eb
Opcode Fuzzy Hash: 587d8d732d646f83363f8288656b6e54f3b3dca3a07d35d8054798e34c02510d
Instruction Fuzzy Hash: 5C51317590025ADFDB19DF28C891AFA7BA9FF19311F244059FC91DB2C0D6309E86CBA1

Function 0081F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0081F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0081F2BB

Strings

@, xrefs: 0081F2AF

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 52bf6ba008d42364ce297f5a60d70eb737cdd33ea9e925cbc1dfe7e428a27a64
Instruction ID: aa7d59a2a8fdc163b82e70fce5cd6ffd762f1cd1a4452604f2101694a1bb4cf4
Opcode Fuzzy Hash: 52bf6ba008d42364ce297f5a60d70eb737cdd33ea9e925cbc1dfe7e428a27a64
Instruction Fuzzy Hash: 7E516871418B459BE320AF14DC86BABBBF8FB84300F81495DF29981195EF709529CB67

Function 00885745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008857E0
_wcslen.LIBCMT ref: 008857EC

Strings

CALLARGARRAY, xrefs: 008857E6, 008857EB

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ac39d8b3b38c8ce6a5a87136ff4ba22ac7e40d9c99f065f4ace59b466c870115
Instruction ID: 1e72271f667a55dd6ec4935f2d7ee5d12ec6a467d1b70479940d2cac799cfe62
Opcode Fuzzy Hash: ac39d8b3b38c8ce6a5a87136ff4ba22ac7e40d9c99f065f4ace59b466c870115
Instruction Fuzzy Hash: 3D419F31E002099FCB14EFA9C8819EEBBB5FF59724F14406AE505E7292E7709D81CBA1

Function 0087D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0087D13A

Strings

|, xrefs: 0087D10B

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6c2e81f2bbeea06d80f20ce61646f47672b823711f86a7edeef4324b5b5a1ff0
Instruction ID: 4737ce9d027a86c2d5aeaebc8f550e2242969397b18714dc15330ca66c82f32c
Opcode Fuzzy Hash: 6c2e81f2bbeea06d80f20ce61646f47672b823711f86a7edeef4324b5b5a1ff0
Instruction Fuzzy Hash: A8311C71D01219ABCF55EFA4CC85AEEBFB9FF04300F504019F819E6166E731A956CB61

Function 0089356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00893621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0089365C

Strings

static, xrefs: 008935BC

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7dd44e455f92afb9250ec5b6e99e3094c53a8d54a87d78368a491d61b540dd2a
Instruction ID: 5e68ed8a444419e6b8f2c6b03bf821148d255d115e7adf86461afb7cc3904039
Opcode Fuzzy Hash: 7dd44e455f92afb9250ec5b6e99e3094c53a8d54a87d78368a491d61b540dd2a
Instruction Fuzzy Hash: 66318D71100604AEDF11EF68DC80EFB73A9FF98724F048619F8A5D7280DA31AD91D760

Function 00894537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0089461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00894634

Strings

', xrefs: 0089458E

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 504b3ff00e65e84ad99ba8f618730ee92ca2798985dbafbda255d528c6290042
Instruction ID: 8cf165159863e897f1ae8023b8b08a852d8c0615c1b3a43485589e872f0ab28a
Opcode Fuzzy Hash: 504b3ff00e65e84ad99ba8f618730ee92ca2798985dbafbda255d528c6290042
Instruction Fuzzy Hash: 413117B4A0120AAFDF14DFA9C990BDABBB5FF09300F15516AE905EB341D770A942CF90

Function 008931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0089327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00893287

Strings

Combobox, xrefs: 00893249

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 36ea2754e4ec93b264764d437b220900d10e53691410ec04297b488b4d16be27
Instruction ID: bb3e0cd527978fe8a8804a1dd3d133c169659f0275b0f186aaaf824cc61a8643
Opcode Fuzzy Hash: 36ea2754e4ec93b264764d437b220900d10e53691410ec04297b488b4d16be27
Instruction Fuzzy Hash: 1711B2713002087FFF25AF94DC84EBB376AFB94365F144129F918E7290D6319D518760

Function 00893710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0080600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0080604C
Part of subcall function 0080600E: GetStockObject.GDI32(00000011), ref: 00806060
Part of subcall function 0080600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0080606A

GetWindowRect.USER32(00000000,?), ref: 0089377A
GetSysColor.USER32(00000012), ref: 00893794

Strings

static, xrefs: 00893757

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a237170771fd3a8dbe1a78757abd649abc9863a2809bbb22dfa799cf377cf763
Instruction ID: 2f4685d0aac21f2f8307776377cb9f936074a35e7aaecc7b60abb7d2c836643e
Opcode Fuzzy Hash: a237170771fd3a8dbe1a78757abd649abc9863a2809bbb22dfa799cf377cf763
Instruction Fuzzy Hash: 971129B2610209AFDF01EFA8CC45AFA7BB8FB08314F044925F955E2250E735E8619B50

Function 0087CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0087CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0087CDA6

Strings

<local>, xrefs: 0087CD66

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f0be2a1c8c50dc760c2485a00c0e9a57aec9e039362e3d5888d1e130c20d6fce
Instruction ID: 10ef4d07e697c9a8baa434b89c5372517d136f9b0f5a1cdff11a584b0c501401
Opcode Fuzzy Hash: f0be2a1c8c50dc760c2485a00c0e9a57aec9e039362e3d5888d1e130c20d6fce
Instruction Fuzzy Hash: 8F11A071205635BAD7384AA68C89EE7BEA8FB127A8F00822EB10DC3184D674D840D6F0

Function 00893429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008934BA

Strings

edit, xrefs: 0089348F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ac3fdcbdae4ebb63deb7700ab94449667aa0126831963ad20406941f428a065f
Instruction ID: d1b6d4b552b483437ff68152d74004a279cd491fdf9da92607cad85f97b2578c
Opcode Fuzzy Hash: ac3fdcbdae4ebb63deb7700ab94449667aa0126831963ad20406941f428a065f
Instruction Fuzzy Hash: 85119D71100108AAEF12AE64DC44AAA37AAFB25378F554324F961D31D0C732ED519768

Function 00866C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

CharUpperBuffW.USER32(?,?,?), ref: 00866CB6
_wcslen.LIBCMT ref: 00866CC2

Strings

STOP, xrefs: 00866CBC, 00866CC1

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 39d140c8f93d4fcae6b4ee9d534ea28d6b8f890c41569a1fe73ae13ba4914e6c
Instruction ID: d3dda77b3eecfc451da0f7dabf6073d7852bc3dae7efa55c79ca42c5d2d2091d
Opcode Fuzzy Hash: 39d140c8f93d4fcae6b4ee9d534ea28d6b8f890c41569a1fe73ae13ba4914e6c
Instruction Fuzzy Hash: 2501C432A1096A8ACB21AFBDDC809BF77B5FF61714B120528E862D6191FA32D960C650

Function 00861CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00861D4C

Strings

ComboBox, xrefs: 00861CEB
ListBox, xrefs: 00861D16

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2df13f255686c8ab56cc1bc8e471a2ce0e2c6a81f8de6ad9a2ca7894168c3e22
Instruction ID: 6a01332b6d63f022957dc2f2eb1af2041aab77c4a9dce760caf38fb5e34dbad4
Opcode Fuzzy Hash: 2df13f255686c8ab56cc1bc8e471a2ce0e2c6a81f8de6ad9a2ca7894168c3e22
Instruction Fuzzy Hash: 0601D871601218ABCF44EBA8CC55DFE7768FF56350F080519F872E73C2EA3159088761

Function 00861BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00861C46

Strings

ComboBox, xrefs: 00861BE5
ListBox, xrefs: 00861C10

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c494108e1e3c74ab646bb898aa35d5b45b5a7c8dde97c6694b2aafcd7208b0c3
Instruction ID: bcd2bdf5a72d6a4bb9899960583e601d2b129585b84231c0371f8336e87b86bf
Opcode Fuzzy Hash: c494108e1e3c74ab646bb898aa35d5b45b5a7c8dde97c6694b2aafcd7208b0c3
Instruction Fuzzy Hash: F401B171A8010866CF05EB94CD56AFF77A8FB21340F190019E456E32C2EA209E1896B2

Function 00861C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00861CC8

Strings

ComboBox, xrefs: 00861C69
ListBox, xrefs: 00861C94

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: dbb4b20cbe7bfb15a85dd309e9ea4405f0b680690a85069d62653847f9fae5ad
Instruction ID: 97f1af695585f01dd8f38c76d10add04accd16b8a14787d54762ab0196e21954
Opcode Fuzzy Hash: dbb4b20cbe7bfb15a85dd309e9ea4405f0b680690a85069d62653847f9fae5ad
Instruction Fuzzy Hash: 0B01A2B1A8011866DF14EBA8CE05EFF77A8FB11340F190019B842F32C3EA219F08D672

Function 00861D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809CB3: _wcslen.LIBCMT ref: 00809CBD

Part of subcall function 00863CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00863CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00861DD3

Strings

ComboBox, xrefs: 00861D75
ListBox, xrefs: 00861DA0

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a853b8e5e49771a676924a0e9cb6b59006457064d73677f418e23da97dc0dcf5
Instruction ID: 59ac708b54c17d1f94dd8662ba431658b50fabdfa869aaccb18b5663c7b0c440
Opcode Fuzzy Hash: a853b8e5e49771a676924a0e9cb6b59006457064d73677f418e23da97dc0dcf5
Instruction Fuzzy Hash: 1DF08171A4121866DB04A7A8CC56FFF7778FB11350F090919F862E32C2DA60AA088361

Function 0088747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00887493
_wcslen.LIBCMT ref: 008874B9

Strings

3, 3, 16, 1, xrefs: 00887483

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 84506b8fc46cac3dfc3d7dc7d321f89ddc2adf85e0ed315a46b00c490b5ec228
Instruction ID: efadeb4b3d22f665e556b9c50f7e805f6ec9fdd0375f1483e078fe0b3f815b07
Opcode Fuzzy Hash: 84506b8fc46cac3dfc3d7dc7d321f89ddc2adf85e0ed315a46b00c490b5ec228
Instruction Fuzzy Hash: D7E02B02204230109231327DACC1A7F5A99FFC5750734282BF985D2276EAD4CDD193B6

Function 00860B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00860B23

Strings

AutoIt, xrefs: 00860B17
Error allocating memory., xrefs: 00860B1C

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 3ed97f06f9faec61c15dd9a00001ffbd7406ad0753c924f86ec958a8ad56cab1
Instruction ID: 1359df5513aee643b001c521bbe2296da153dfd2078ec99424c046e8e8297c9e
Opcode Fuzzy Hash: 3ed97f06f9faec61c15dd9a00001ffbd7406ad0753c924f86ec958a8ad56cab1
Instruction Fuzzy Hash: 5AE0483124431836D61537987C03FD97E88FF05B65F14446AF798D95C38AE264E056BA

Function 00820D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0081F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00820D71,?,?,?,0080100A), ref: 0081F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0080100A), ref: 00820D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0080100A), ref: 00820D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00820D7F

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: dc6b99b62c5fdfc62dd2f5d3c2fd1bedee2c3e7c0f9301b94a44320d5dc69fa3
Instruction ID: 8c2808eb2d02d1b811386a1cbe24f32116129fc638502573066ece1199ba322b
Opcode Fuzzy Hash: dc6b99b62c5fdfc62dd2f5d3c2fd1bedee2c3e7c0f9301b94a44320d5dc69fa3
Instruction Fuzzy Hash: 83E06D702017518BD760AFFCE8083467BE4FF00740F044A2EE582C6652DBB5E4888F91

Function 00873017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0087302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00873044

Strings

aut, xrefs: 00873038

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b7e29768a778d72841e2cfc4be78284963798d73d678bd970f22865a3a26d770
Instruction ID: e3c1315efbe73427d03b54aa80797e60b1aabab7971044bfc9b6fb963ba77463
Opcode Fuzzy Hash: b7e29768a778d72841e2cfc4be78284963798d73d678bd970f22865a3a26d770
Instruction Fuzzy Hash: C2D05E7250032877DA20A7E4AC0EFCB3B6CEB04750F0002A2B655E2091EAB5D984CAE0

Function 0085D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0085D220

Strings

%.3d, xrefs: 0085D22B
X64, xrefs: 0085D2A8

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 65635e7c3c333a565ef2dea759344dd2ceca1016fc781564f595eaff4a039a90
Instruction ID: 82ebf2e436e697812ab780b1194ccd3c50eb0a7f7034d2e7a743619b4ab795ec
Opcode Fuzzy Hash: 65635e7c3c333a565ef2dea759344dd2ceca1016fc781564f595eaff4a039a90
Instruction Fuzzy Hash: 95D0127580830CE9CB6097E0CC459F9B37CFF08306F908456FD06D1041D634E58CAB62

Function 00892322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0089232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0089233F

Part of subcall function 0086E97B: Sleep.KERNEL32 ref: 0086E9F3

Strings

Shell_TrayWnd, xrefs: 00892325

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 52836cfca81a59dc4745bc4b4e84eb203b792d09179321a0c7f2977492664187
Instruction ID: 36859f35ded1d2a0d9e680eb972b3c4ee392bb07fd7d16a379ae0603df32265d
Opcode Fuzzy Hash: 52836cfca81a59dc4745bc4b4e84eb203b792d09179321a0c7f2977492664187
Instruction Fuzzy Hash: BCD0C936394310B6E6A4B7709C4FFC66A24BF10B10F054A2A7755EA1D4D9B5A8118A54

Function 00892356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0089236C
PostMessageW.USER32(00000000), ref: 00892373

Part of subcall function 0086E97B: Sleep.KERNEL32 ref: 0086E9F3

Strings

Shell_TrayWnd, xrefs: 00892365

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 921ac969ae1008f37ba2d7c1a9d6555043e95f55ecf021c3c5302fb77e1096b4
Instruction ID: fb497b0ccc96818c90d4456fe7d37c25b8775d9f3a3d31e8f8b511cf71e0d53a
Opcode Fuzzy Hash: 921ac969ae1008f37ba2d7c1a9d6555043e95f55ecf021c3c5302fb77e1096b4
Instruction Fuzzy Hash: 64D0C9363813107AE6A4B7709C4FFC66A24BB14B10F054A2A7755EA1D4D9B5A8118A54

Function 0083BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0083BE93
GetLastError.KERNEL32 ref: 0083BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0083BEFC

Memory Dump Source

Source File: 00000000.00000002.2102653133.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2102611863.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103019576.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103128585.00000000008CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2103172552.00000000008D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 4ef2a8efa833988a0dd58039972ff77f2781da3fb3ed77b5363a3b7abea52b06
Instruction ID: 7ada22fd652caf26fd0b1fc8b2855e043cb7addf9dc816a1b595ceef77e4101e
Opcode Fuzzy Hash: 4ef2a8efa833988a0dd58039972ff77f2781da3fb3ed77b5363a3b7abea52b06
Instruction Fuzzy Hash: 624107B4600216EFCF219F69DC54ABA7BA4FF81310F14516AFA59DB1A1DF308C00CBA1

Analysis Process: firefox.exePID: 7852, Parent PID: 320COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001B1D90F4772 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001B1D90F47D7

Strings

>, xrefs: 000001B1D90F887F
>, xrefs: 000001B1D90F4839
#, xrefs: 000001B1D90F2B45
#, xrefs: 000001B1D90F4802
z, xrefs: 000001B1D90F5DB6
z, xrefs: 000001B1D90F480B
A, xrefs: 000001B1D90F47CF
#, xrefs: 000001B1D90F58B1
>, xrefs: 000001B1D90F55DC
4, xrefs: 000001B1D90F8859

Memory Dump Source

Source File: 00000011.00000002.3915776026.000001B1D90F2000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001B1D90F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1b1d90f2000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 5d7f20418ae08098b5ef7e00851cbbe2004ae2981cdee6e9aa714a271909b211
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 8FA3E431618A488BDB2DDF58DC956E973EAFB98700F54422EDC4BC7255DF34EA028AC1

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2253767331.00000237334BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272435362.00000237334BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2278691360.0000023735B1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2143440877.0000023735B1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2142579840.0000023735B5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271669930.0000023735B5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2230437271.0000023731AAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2232823349.000002372D681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2142579840.0000023735B5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271669930.0000023735B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289121889.000002372A7F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289121889.000002372A7E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2105065279.000002372A7E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2278691360.0000023735B1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2143440877.0000023735B1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2142579840.0000023735B5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271669930.0000023735B5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2230437271.0000023731AAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2232823349.000002372D681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2142579840.0000023735B5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271669930.0000023735B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2274236859.000002372C4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248517191.000002372C4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3911160532.000001B1D8A0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2274236859.000002372C4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248517191.000002372C4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3911160532.000001B1D8A0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2274236859.000002372C4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248517191.000002372C4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3911160532.000001B1D8A0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289121889.000002372A7F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289121889.000002372A7E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2105065279.000002372A7E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2278691360.0000023735B1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296488202.0000023731E6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290868508.0000023727975000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2253767331.00000237334BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272435362.00000237334BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294891321.00000237334F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289121889.000002372A7BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284717279.000002372B3B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50032 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ea8d1c3b-35c2-4a2d-b0c9-24e5273eb81e.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ea8d1c3b-35c2-4a2d-b0c9-24e5273eb81e.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3KJ86XENC2UGPNFX7AU3.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TEM7ML0AUJ4S12ZKWLWP.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre