Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561679
MD5:	4676050a0ef5a185953ab79d47cb8585
SHA1:	dec41077d44ded9ce6d7bcf29848ebf49a89b6fe
SHA256:	bba632ef9970be97837b7cd9fad3df8c7a0f8476cb2bb8805e1f05c6b5167fd0
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4676050A0EF5A185953AB79D47CB8585)

taskkill.exe (PID: 7452 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7548 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7620 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7684 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7748 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7812 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7844 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7860 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8080 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd69434-b1bf-4028-b798-7c4ee918bc54} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14edf76f710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7568 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -parentBuildID 20230927232528 -prefsHandle 3808 -prefMapHandle 2780 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81a23b37-65e5-4176-a8ce-8938ffe3cfe9} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14ef1865210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3652 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5500 -prefMapHandle 5476 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69513a0f-09df-48a4-80b6-37d61aa73f6e} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14edf774310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7436	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_009CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009CED6A

Source: C:\Users\user\Desktop\file.exe

0_2_009CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_009BAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_009E9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2a0c75aa-e
Source: file.exe, 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4f8eaa70-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a622b533-3
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e475d394-c

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F42A1B9C37 NtQuerySystemInformation,		16_2_000001F42A1B9C37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F42A1D98B2 NtQuerySystemInformation,		16_2_000001F42A1D98B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_009BD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_009BE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C2046	0_2_009C2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00958060	0_2_00958060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B8298	0_2_009B8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E4FF	0_2_0098E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098676B	0_2_0098676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E4873	0_2_009E4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097CAA0	0_2_0097CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095CAF0	0_2_0095CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096CC39	0_2_0096CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00986DD9	0_2_00986DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009591C0	0_2_009591C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096B119	0_2_0096B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00971394	0_2_00971394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00971706	0_2_00971706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097781B	0_2_0097781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009719B0	0_2_009719B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00957920	0_2_00957920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096997D	0_2_0096997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00977A4A	0_2_00977A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00977CA7	0_2_00977CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00971C77	0_2_00971C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00989EEE	0_2_00989EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DBE44	0_2_009DBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00971F32	0_2_00971F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F42A1B9C37	16_2_000001F42A1B9C37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F42A1D98B2	16_2_000001F42A1D98B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F42A1D98F2	16_2_000001F42A1D98F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F42A1D9FDC	16_2_000001F42A1D9FDC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00970A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0096F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: firefox.exe, 0000000D.00000003.2028378679.0000014EEB42F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: com.com.slN

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@64/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C37B5 GetLastError,FormatMessageW,

0_2_009C37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B10BF AdjustTokenPrivileges,CloseHandle,		0_2_009B10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009B16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009C51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009BD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_009BD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_009C648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009542A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd69434-b1bf-4028-b798-7c4ee918bc54} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14edf76f710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -parentBuildID 20230927232528 -prefsHandle 3808 -prefMapHandle 2780 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81a23b37-65e5-4176-a8ce-8938ffe3cfe9} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14ef1865210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5500 -prefMapHandle 5476 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69513a0f-09df-48a4-80b6-37d61aa73f6e} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14edf774310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd69434-b1bf-4028-b798-7c4ee918bc54} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14edf76f710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -parentBuildID 20230927232528 -prefsHandle 3808 -prefMapHandle 2780 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81a23b37-65e5-4176-a8ce-8938ffe3cfe9} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14ef1865210 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5500 -prefMapHandle 5476 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69513a0f-09df-48a4-80b6-37d61aa73f6e} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14edf774310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.2019724885.0000014EF7601000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.2078399120.0000014EEEDC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.2054046673.0000014EEEDC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.2078399120.0000014EEEDC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.2076796361.0000014EEEDC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.2054046673.0000014EEEDC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000D.00000003.2064305714.0000014EF297C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.2019724885.0000014EF7601000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.2076796361.0000014EEEDC1000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00970A76 push ecx; ret

0_2_00970A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0096F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009E1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97732

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F42A1B9C37 rdtsc

16_2_000001F42A1B9C37

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009BDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C68EE FindFirstFileW,FindClose,	0_2_009C68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009C698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009BD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009BD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009C9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009C979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009C9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009C5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Source: firefox.exe, 0000000E.00000002.3056076826.0000016888B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: firefox.exe, 00000010.00000002.3055525415.000001F42A2D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe=f
Source: firefox.exe, 00000010.00000002.3050049492.000001F42993A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: firefox.exe, 00000010.00000002.3055525415.000001F42A2D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: firefox.exe, 0000000E.00000002.3050679374.00000168884FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: firefox.exe, 00000010.00000002.3055525415.000001F42A2D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: firefox.exe, 0000000E.00000002.3050679374.00000168884FA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3054264039.000001B279610000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3055525415.000001F42A2D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: firefox.exe, 0000000E.00000002.3055237669.0000016888A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000014.00000002.3050301361.000001B2792FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@%ay
Source: firefox.exe, 0000000E.00000002.3056076826.0000016888B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: firefox.exe, 0000000E.00000002.3056076826.0000016888B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F42A1B9C37 rdtsc

16_2_000001F42A1B9C37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009CEAA2 BlockInput,

0_2_009CEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00982622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00982622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00974CE8 mov eax, dword ptr fs:[00000030h]

0_2_00974CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_009B0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00982622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00982622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0097083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009709D5 SetUnhandledExceptionFilter,	0_2_009709D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00970C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00970C21

Source: C:\Users\user\Desktop\file.exe

0_2_009B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00992BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00992BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009BB226 SendInput,keybd_event,

0_2_009BB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009D22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_009B0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009B1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00970698 cpuid

0_2_00970698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_009C8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009AD27A GetUserNameW,

0_2_009AD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0098BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009542DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7436, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7436, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_009D1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_009D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.193	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.1.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.206	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000014.00000002.3051536611.000001B2795C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1959796413.0000014EEFB6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2034520007.0000014EF0EFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942019678.0000014EF048F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2004959132.0000014EF076F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949636787.0000014EEFB6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2018576352.0000014EF0EFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2068502288.0000014EF0EFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958715622.0000014EEFB6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953196630.0000014EEFB6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2031816146.0000014EF7A52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000E.00000002.3052068404.00000168888CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3051703713.000001F429DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3054467705.000001B279803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1925759244.0000014EF7E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924099611.0000014EF7E23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923668250.0000014EF7E23000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000014.00000002.3051536611.000001B27958F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.2098595158.0000014EF08FD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.2060596613.0000014EF758C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2014308139.0000014EF758C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.2098136061.0000014EF09A5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.2031816146.0000014EF7A52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.2031343559.0000014EF7A9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2097801623.0000014EF09C9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1863973694.0000014EEF21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864340672.0000014EEF25A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864580780.0000014EEF277000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863633912.0000014EEF000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864163616.0000014EEF23C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.2034520007.0000014EF0EFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2018576352.0000014EF0EFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2068502288.0000014EF0EFC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.2009945603.0000014EFB1EC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1863973694.0000014EEF21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864340672.0000014EEF25A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864580780.0000014EEF277000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863633912.0000014EEF000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864163616.0000014EEF23C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000D.00000003.2041156618.0000014EF0A1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2064305714.0000014EF298F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2017849758.0000014EF298F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1863973694.0000014EEF21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864340672.0000014EEF25A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864580780.0000014EEF277000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863633912.0000014EEF000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864163616.0000014EEF23C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000D.00000003.2086425566.0000014EF9B55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2067871840.0000014EF19C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2017849758.0000014EF29DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929156331.0000014EF19C8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.2098595158.0000014EF08FD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000E.00000002.3052068404.00000168888CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3051703713.000001F429DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3054467705.000001B279803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.2055731030.0000014EFB189000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.2010346062.0000014EFAED9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.2018576352.0000014EF0EAB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.2031148014.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2059016428.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2071334367.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000E.00000002.3052068404.00000168888CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3051703713.000001F429DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3054467705.000001B279803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://www.youtube.com/	firefox.exe, 0000000D.00000003.2010346062.0000014EFAEBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3051703713.000001F429D0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3051536611.000001B27950C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.2011833619.0000014EF7DD7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.2060596613.0000014EF758C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2014308139.0000014EF758C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.2010346062.0000014EFAE10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2056304003.0000014EFAE10000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000014.00000002.3051536611.000001B2795C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000D.00000003.2088093519.0000014EF34A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1951533826.0000014EEFB27000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.2043963550.0000014EF0AED000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.2056304003.0000014EFAED9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.2034012414.0000014EF1DA4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.2031343559.0000014EF7A9D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.2031148014.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2059016428.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2071334367.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000014.00000002.3051536611.000001B279513000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.2060596613.0000014EF758C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2014308139.0000014EF758C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.2031343559.0000014EF7ADC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListenerUseOfReleaseEventsWarningUse	firefox.exe, 0000000D.00000003.2031148014.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2059016428.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2071334367.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.2076314224.0000014EF2D65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962585985.0000014EF04B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948857527.0000014EF04B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960786236.0000014EF2DE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2032991315.0000014EF1ED2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2015884497.0000014EF7514000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960786236.0000014EF2D4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1993123364.0000014EF2DE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2043207030.0000014EF0B43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2024377329.0000014EEF7E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2014446088.0000014EF7549000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2032078092.0000014EF7514000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2011833619.0000014EF7D7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2053450651.0000014EEFBEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2020279129.0000014EF2D65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2089897245.0000014EF29FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991868209.0000014EF7BBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2047506948.0000014EEF7D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2063274052.0000014EF2A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2049335637.0000014EEF7ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2022083817.0000014EF04B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.2064305714.0000014EF298F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2017849758.0000014EF298F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.2064305714.0000014EF298F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2017849758.0000014EF298F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2064305714.0000014EF297C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2017849758.0000014EF297C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.2074269753.0000014EF2FE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2067531684.0000014EF2FE5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.2014446088.0000014EF7549000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2092124957.0000014EF1E3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2065234571.0000014EF1E3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2032991315.0000014EF1E3B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.2014446088.0000014EF7549000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2092124957.0000014EF1E3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2065234571.0000014EF1E3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2032991315.0000014EF1E3B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1925759244.0000014EF7E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924099611.0000014EF7E23000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.2059016428.0000014EF7CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1869515692.0000014EEEA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870320842.0000014EEEA1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870664927.0000014EEEA33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.2032165448.0000014EF34F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2087456802.0000014EF34F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2061752181.0000014EF34F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2073475136.0000014EF34F0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1952999355.0000014EF951E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958715622.0000014EEFB26000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1869515692.0000014EEEA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870320842.0000014EEEA1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870664927.0000014EEEA33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.2010346062.0000014EFAE10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2056304003.0000014EFAE10000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000E.00000002.3052068404.00000168888CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3051703713.000001F429DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3054467705.000001B279803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.2072079265.0000014EF7C97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2094097423.0000014EF1979000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.2060596613.0000014EF758C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2014308139.0000014EF758C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.2009759657.0000014EFB23D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1864163616.0000014EEF23C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.2031343559.0000014EF7ADC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000D.00000003.2030197795.0000014EF7D7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863973694.0000014EEF21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864340672.0000014EEF25A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864580780.0000014EEF277000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863633912.0000014EEF000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864163616.0000014EEF23C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.2098595158.0000014EF08FD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000E.00000002.3051701518.00000168886B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3050916938.000001F429AC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3051167587.000001B279370000.00000002.10000000.00040000.00000000.sdmp	false	high
https://twitter.com/	firefox.exe, 0000000D.00000003.2010346062.0000014EFAED9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureWebExtensionUncheckedLastErr	firefox.exe, 0000000D.00000003.2031148014.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2059016428.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2071334367.0000014EF7CE8000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561679
Start date and time:	2024-11-24 04:19:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@64/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.27.142.243, 34.209.229.249, 52.32.237.164, 172.217.17.42, 172.217.17.46, 88.221.134.209, 88.221.134.155
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
22:20:26	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.117.212.221
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.219.71.153
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.170.46.20
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.158.68.28
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.220.65.243
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	56.199.179.130
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	32.250.234.111
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.235.41.232
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.166.75.0
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.249.141.50
ATGS-MMD-ASUS	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.219.71.153
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.170.46.20
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.158.68.28
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.220.65.243
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	56.199.179.130
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	32.250.234.111
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.235.41.232
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.166.75.0
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.249.141.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfbc8475-05d4-4163-af93-87d0c3f1feb8.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.183499506776503
Encrypted:	false
SSDEEP:	192:IjMXeYLcbhbVbTbfbRbObtbyEl7n664r1JA6WnSrDtTUd/SkDro:IYTcNhnzFSJUrwBnSrDhUd/+
MD5:	89A9D510B61EA74120863F93CDAC8A1A
SHA1:	90545E879D21E687FA1F433A0F25BC0C1B01B077
SHA-256:	976BADCA9AD4C2D3969EAB5904E02E51BB551ADFE4E3F7E85BE84817ECD2A82C
SHA-512:	B4536DF219728AEC26C90CEB95A25BCA67DD98F5DBFEBD8A44C352E5F010E4A41ADAC74B0AF8C956CEF6F268A3AE43FD38484F7DBD0C41BE31FFB938FAE09A0A
Malicious:	false
Preview:	{"type":"uninstall","id":"dfbc8475-05d4-4163-af93-87d0c3f1feb8","creationDate":"2024-11-24T05:01:36.152Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfbc8475-05d4-4163-af93-87d0c3f1feb8.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.183499506776503
Encrypted:	false
SSDEEP:	192:IjMXeYLcbhbVbTbfbRbObtbyEl7n664r1JA6WnSrDtTUd/SkDro:IYTcNhnzFSJUrwBnSrDhUd/+
MD5:	89A9D510B61EA74120863F93CDAC8A1A
SHA1:	90545E879D21E687FA1F433A0F25BC0C1B01B077
SHA-256:	976BADCA9AD4C2D3969EAB5904E02E51BB551ADFE4E3F7E85BE84817ECD2A82C
SHA-512:	B4536DF219728AEC26C90CEB95A25BCA67DD98F5DBFEBD8A44C352E5F010E4A41ADAC74B0AF8C956CEF6F268A3AE43FD38484F7DBD0C41BE31FFB938FAE09A0A
Malicious:	false
Preview:	{"type":"uninstall","id":"dfbc8475-05d4-4163-af93-87d0c3f1feb8","creationDate":"2024-11-24T05:01:36.152Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.923944277377912
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLqG28P:8S+OBIUjOdwiOdYVjjwLn28P
MD5:	F742A0D4BC888751B25DCDE28F91E173
SHA1:	5964649CAEEE2EB413559E697254F9C0328D76C4
SHA-256:	2574A019F2BE187B8AE8B3478FD6A64AA3A5F3F419AECBB6E6D698A4B88277AE
SHA-512:	02D8D633C790D81FF8DF8596F8AB465145A19CB9BE80E0C3220A26BDB5ECCC699D362DFACF86AD553E0207A53775431FAAC685B8CF2482CC6D37F8660B3CFF94
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.923944277377912
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLqG28P:8S+OBIUjOdwiOdYVjjwLn28P
MD5:	F742A0D4BC888751B25DCDE28F91E173
SHA1:	5964649CAEEE2EB413559E697254F9C0328D76C4
SHA-256:	2574A019F2BE187B8AE8B3478FD6A64AA3A5F3F419AECBB6E6D698A4B88277AE
SHA-512:	02D8D633C790D81FF8DF8596F8AB465145A19CB9BE80E0C3220A26BDB5ECCC699D362DFACF86AD553E0207A53775431FAAC685B8CF2482CC6D37F8660B3CFF94
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07326855990149782
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	179D7516BD6CF3A4C7E68BA239EE1A26
SHA1:	DF57A1EEA4F525216BF951ED0259C7A48B983A4D
SHA-256:	5F0A488810442EE2FAD24884C7EC88661BEDCD6BF8A8096B12159584D9BDD49E
SHA-512:	69FFCFDFD4D0FCE05D14282F2BEE13D93D25400D773B2FEF92893DAE7A3DD27FD9CE5689EAAA322A6DF0C7D3ADCB8E4FCFB4BEB0C9E215B3743A55F504D5DFAE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035822017202226504
Encrypted:	false
SSDEEP:	3:GtlstFGjcb1WMeah94l3lstFGjcb1WMeahl1T89//alEl:GtWtEjcEfwW1WtEjcEfw789XuM
MD5:	78A414E61CAA8B392887E2EF02324604
SHA1:	A9111192B0793C1ACDC20C41D2DC13AEF7F72DB4
SHA-256:	CB7FD41B5066C055C3416A18B18EE5E9F0611DBEC24BE47C1A09599B0DF03ECF
SHA-512:	8E2138C126689BCEBF2371AB921FD18C74752C4CD574F30103760148BED499D0B2C0147F8E48E0305094684B173CE969023806A74B4D6EE77179B6B2E1016D11
Malicious:	false
Preview:	..-.....................QV.=U...y.5.F.@...h.....-.....................QV.=U...y.5.F.@...h...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03980270846103982
Encrypted:	false
SSDEEP:	3:Ol1lIuzh9/83tWbYk6ulX7l8rEXsxdwhml8XW3R2:KfIkr0dWbn6utl8dMhm93w
MD5:	F3CFEA5AC98CE8DF229D80CF04BCBDFF
SHA1:	FE9BFD99A0C07992D27E7BDF379BE179F58C9C29
SHA-256:	43B3E69281371D8CAB5435567849530DA96BF8C4ADCB36F5581CA4B3DA3D4E43
SHA-512:	A067EC6F72FF2AB0EBF5249C9211289FE37C14F1C912924A5C61D604F5E6478876008D7045BA0F113ED1BD472C8173270EBE8D5CC2AF37542495FF1A0931D824
Malicious:	false
Preview:	7....-...........y.5.F.@.I\|..............y.5.F.@=.VQ...U................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	modified
Size (bytes):	13254
Entropy (8bit):	5.49357615356729
Encrypted:	false
SSDEEP:	192:gnaRtLYbBp6ghj4qyaaXv6KFDyiN/p5RfGNBw8dNSl:9eCqlepFcwa0
MD5:	8EBEE8FD8863C8B6CA88B8B1DE8A5A42
SHA1:	ED5A5FF7B4B669F975B5C35A7EB4B4993AE0C4B2
SHA-256:	9CEBBAFF6366BEA099D1E6841D5FE20238DF309BE6863A20521664CD42C71D40
SHA-512:	DEDBBA7D1B39BB923D631415C4DEEF2B96D8326C238C7D34B7B08C4411A908FE5A32AC4487504CF65D314C0DE3E1CA7D4DAFB4F2D5428D50D1CAFD19817BC0E7
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732424466);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732424466);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732424466);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173242

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49357615356729
Encrypted:	false
SSDEEP:	192:gnaRtLYbBp6ghj4qyaaXv6KFDyiN/p5RfGNBw8dNSl:9eCqlepFcwa0
MD5:	8EBEE8FD8863C8B6CA88B8B1DE8A5A42
SHA1:	ED5A5FF7B4B669F975B5C35A7EB4B4993AE0C4B2
SHA-256:	9CEBBAFF6366BEA099D1E6841D5FE20238DF309BE6863A20521664CD42C71D40
SHA-512:	DEDBBA7D1B39BB923D631415C4DEEF2B96D8326C238C7D34B7B08C4411A908FE5A32AC4487504CF65D314C0DE3E1CA7D4DAFB4F2D5428D50D1CAFD19817BC0E7
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732424466);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732424466);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732424466);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173242

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.331733515360893
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS5IMbLXnIgOA/pnxQwRlszT5sKtq3eHVQj6TEJamhujJlOsIomNVrw:GUpOxHCznR6I3eHTEJ4JlIquR4
MD5:	A3662AC275D0ED23E5A0DDE3BB4FA0D0
SHA1:	3C94DCA0ADB70FAB8FBFFE82A57C5994E44FBAF2
SHA-256:	3A687D52A2E488DA8BAE4288837643E7E10C84AAD00F0C4D8948E17F5F57E50C
SHA-512:	0F57E13BF08E2A4ED0EA9A3293D8322E76A301A2D255426D4579DC369C0051976D5082F2789A787273E15669875B3F92724FB730B9FCFA403A28B390312F6A1A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a1f74c89-04f8-424a-8a7e-8c12d358d055}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732424474707,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0355...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...43582,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.331733515360893
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS5IMbLXnIgOA/pnxQwRlszT5sKtq3eHVQj6TEJamhujJlOsIomNVrw:GUpOxHCznR6I3eHTEJ4JlIquR4
MD5:	A3662AC275D0ED23E5A0DDE3BB4FA0D0
SHA1:	3C94DCA0ADB70FAB8FBFFE82A57C5994E44FBAF2
SHA-256:	3A687D52A2E488DA8BAE4288837643E7E10C84AAD00F0C4D8948E17F5F57E50C
SHA-512:	0F57E13BF08E2A4ED0EA9A3293D8322E76A301A2D255426D4579DC369C0051976D5082F2789A787273E15669875B3F92724FB730B9FCFA403A28B390312F6A1A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a1f74c89-04f8-424a-8a7e-8c12d358d055}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732424474707,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0355...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...43582,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.331733515360893
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS5IMbLXnIgOA/pnxQwRlszT5sKtq3eHVQj6TEJamhujJlOsIomNVrw:GUpOxHCznR6I3eHTEJ4JlIquR4
MD5:	A3662AC275D0ED23E5A0DDE3BB4FA0D0
SHA1:	3C94DCA0ADB70FAB8FBFFE82A57C5994E44FBAF2
SHA-256:	3A687D52A2E488DA8BAE4288837643E7E10C84AAD00F0C4D8948E17F5F57E50C
SHA-512:	0F57E13BF08E2A4ED0EA9A3293D8322E76A301A2D255426D4579DC369C0051976D5082F2789A787273E15669875B3F92724FB730B9FCFA403A28B390312F6A1A
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a1f74c89-04f8-424a-8a7e-8c12d358d055}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732424474707,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0355...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...43582,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033947593498956
Encrypted:	false
SSDEEP:	48:YrSAYg6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycgyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	E0452893795B180518FBEAD64C01A1DB
SHA1:	46EB7373A7D94F97AFC79CD8EDCC34AED250FAC8
SHA-256:	23A006B636BF96E45E4A5872FFA88053A22AC5C792CF0126E430DF4F8E74FF57
SHA-512:	6943F360D96E68690722461E94AB17EEDA56111C470EAC584B7962DA6F11E58B67BDE3C0F9FC66B301979049F30FCE4B8ABD8D103BF51D03F6E1CA2A0AC1EC03
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T05:00:54.197Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033947593498956
Encrypted:	false
SSDEEP:	48:YrSAYg6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycgyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	E0452893795B180518FBEAD64C01A1DB
SHA1:	46EB7373A7D94F97AFC79CD8EDCC34AED250FAC8
SHA-256:	23A006B636BF96E45E4A5872FFA88053A22AC5C792CF0126E430DF4F8E74FF57
SHA-512:	6943F360D96E68690722461E94AB17EEDA56111C470EAC584B7962DA6F11E58B67BDE3C0F9FC66B301979049F30FCE4B8ABD8D103BF51D03F6E1CA2A0AC1EC03
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T05:00:54.197Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.591512711906439
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	4676050a0ef5a185953ab79d47cb8585
SHA1:	dec41077d44ded9ce6d7bcf29848ebf49a89b6fe
SHA256:	bba632ef9970be97837b7cd9fad3df8c7a0f8476cb2bb8805e1f05c6b5167fd0
SHA512:	3c5f5c50c9c75ebd664fe4b962f0b70791472f33e731dac34547aea673cd65253d31d51f146ad181ddd6bd173636ddf3d0768098d1ba1dd76d853f1e4d72e350
SSDEEP:	12288:MqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga9TF:MqDEvCTbMWu7rQYlBQcBiT6rprG8a5F
TLSH:	1C159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67429759 [Sun Nov 24 03:02:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F1148F1CEA3h
jmp 00007F1148F1C7AFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F1148F1C98Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F1148F1C95Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F1148F1F54Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F1148F1F598h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F1148F1F581h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa760	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa760	0xa800	46fbaf30bd01698722a96568d017cc71	False	0.3671875	data	5.6110620990496685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1a26	data			1.0016432626232448
RT_GROUP_ICON	0xde1e0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde258	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde26c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde280	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde294	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde370	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 04:20:20.791773081 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:20.791884899 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 04:20:20.793760061 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:20.802804947 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:20.802846909 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 04:20:22.123745918 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 04:20:22.124881983 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:22.160784006 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:22.160828114 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 04:20:22.160924911 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:22.161071062 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 04:20:22.161138058 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:25.108931065 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:25.108967066 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:25.109055042 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:25.109074116 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:25.109225035 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:25.109225035 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:25.110613108 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:25.110627890 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:25.114619017 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:25.114636898 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:25.162782907 CET	49741	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:25.282218933 CET	80	49741	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:25.285700083 CET	49741	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:25.286000967 CET	49741	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:25.405409098 CET	80	49741	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:25.441831112 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:25.441885948 CET	443	49742	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:25.442059994 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:25.443551064 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:25.443567991 CET	443	49742	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:25.771450996 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:25.771491051 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:25.772861004 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:25.774291992 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:25.774312019 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:26.020992994 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:26.021058083 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:26.021195889 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:26.021389961 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:26.021405935 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:26.046474934 CET	49746	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:26.046504021 CET	443	49746	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:26.046566010 CET	49746	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:26.046715021 CET	49746	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:26.046725988 CET	443	49746	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:26.417850971 CET	80	49741	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:26.461683035 CET	49741	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:26.684838057 CET	49747	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:26.760276079 CET	443	49742	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:26.760777950 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:26.765953064 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:26.765970945 CET	443	49742	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:26.766118050 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:26.766179085 CET	443	49742	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:26.766496897 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:26.766535997 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:26.766576052 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:26.766721964 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:26.768105030 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:26.768125057 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:26.804399014 CET	80	49747	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:26.804528952 CET	49747	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:26.804692030 CET	49747	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:26.816147089 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:26.817255974 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:26.819993019 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:26.820002079 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:26.825423956 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:26.825436115 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:26.825455904 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:26.825702906 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:26.825844049 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:26.848191977 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:26.848263979 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:26.848890066 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:26.848951101 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:26.853136063 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:26.853144884 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:26.853249073 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:26.853305101 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 04:20:26.853400946 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 04:20:26.910334110 CET	49741	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:26.924098015 CET	80	49747	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:27.029814005 CET	80	49741	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:27.045874119 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:27.055345058 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:27.066245079 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:27.072813034 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:27.072824001 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:27.072951078 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:27.073318958 CET	49749	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:27.073365927 CET	443	49749	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:27.073450089 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:27.086415052 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:27.086432934 CET	49749	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:27.087866068 CET	49749	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:27.087882996 CET	443	49749	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:27.234252930 CET	80	49741	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:27.262531042 CET	443	49746	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:27.267339945 CET	443	49746	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:27.271661043 CET	49746	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:27.280119896 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:27.287341118 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:27.289360046 CET	49741	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.289360046 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:27.304142952 CET	49746	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:27.304182053 CET	443	49746	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:27.304572105 CET	443	49746	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:27.306960106 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:27.306977034 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:27.307367086 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:27.309176922 CET	49746	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:27.309278965 CET	49746	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:27.309365988 CET	443	49746	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:27.309601068 CET	49746	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:27.309638977 CET	49746	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:27.346750021 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:27.346865892 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:27.346968889 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:27.347306013 CET	49751	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:27.347346067 CET	443	49751	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:27.350167036 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:27.350230932 CET	49751	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:27.350702047 CET	49751	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:27.350716114 CET	443	49751	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:27.631989956 CET	49747	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.635551929 CET	49741	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.644438028 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.663049936 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.752233028 CET	80	49747	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:27.752357960 CET	49747	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.755587101 CET	80	49741	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:27.757195950 CET	49741	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.764053106 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:27.769597054 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.769788027 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.782530069 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:27.782610893 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.782794952 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:27.889221907 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:27.902179956 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:27.993767023 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:27.999381065 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:28.009342909 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:28.027800083 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:28.027822018 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:28.027889967 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:28.028623104 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:28.030580044 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:28.351607084 CET	443	49749	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:28.351619959 CET	443	49749	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:28.352456093 CET	49749	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:28.357568979 CET	49749	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:28.357579947 CET	443	49749	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:28.357676983 CET	49749	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:28.357760906 CET	443	49749	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:28.363801956 CET	49749	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:28.662971020 CET	443	49751	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:28.663089037 CET	49751	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:28.667423964 CET	49751	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:28.667432070 CET	443	49751	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:28.667666912 CET	443	49751	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:28.669794083 CET	49751	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:28.669914961 CET	49751	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:28.669923067 CET	443	49751	34.160.144.191	192.168.2.4
Nov 24, 2024 04:20:28.670101881 CET	49751	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:28.670173883 CET	49751	443	192.168.2.4	34.160.144.191
Nov 24, 2024 04:20:28.868217945 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:28.902771950 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:28.911933899 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:28.940882921 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:28.940928936 CET	443	49755	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:28.941006899 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:28.942925930 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:28.942948103 CET	443	49755	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:28.965369940 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:30.250224113 CET	443	49755	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:30.250302076 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:30.255151987 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:30.255162001 CET	443	49755	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:30.255251884 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:30.255345106 CET	443	49755	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:30.258646011 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:31.354443073 CET	49757	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:31.354523897 CET	443	49757	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:31.366457939 CET	49757	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:31.370368004 CET	49757	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:31.370400906 CET	443	49757	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:32.585017920 CET	443	49757	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:32.585031033 CET	443	49757	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:32.587146044 CET	49757	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:32.655292988 CET	49757	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:32.655334949 CET	443	49757	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:32.655389071 CET	49757	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:32.655517101 CET	443	49757	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:32.659759045 CET	49757	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:32.890450954 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:32.890733957 CET	49760	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:32.890799046 CET	443	49760	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:32.890857935 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:32.892894983 CET	49760	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:32.894350052 CET	49760	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:32.894366980 CET	443	49760	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:33.009841919 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:33.010270119 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:33.043853998 CET	49761	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:33.043891907 CET	443	49761	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:33.044013023 CET	49761	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:33.045468092 CET	49761	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:33.045484066 CET	443	49761	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:33.082158089 CET	49762	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:33.082267046 CET	443	49762	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:33.082391024 CET	49762	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:33.083789110 CET	49762	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:33.083806038 CET	443	49762	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:33.206419945 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:33.214174986 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:33.258692980 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:33.258692026 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:33.602437019 CET	49763	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:33.602505922 CET	443	49763	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:33.602890015 CET	49763	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:33.602996111 CET	49763	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:33.603013039 CET	443	49763	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:33.703227043 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:33.822663069 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:34.026880980 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:34.076644897 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:34.214324951 CET	443	49760	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:34.214401960 CET	49760	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:34.293982983 CET	443	49761	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:34.294091940 CET	49761	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:34.357836008 CET	443	49762	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:34.357933998 CET	49762	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:34.676609993 CET	49760	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:34.676670074 CET	443	49760	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:34.676826954 CET	49760	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:34.676950932 CET	443	49760	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:34.676970959 CET	49761	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:34.676990032 CET	443	49761	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:34.677156925 CET	49761	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:34.677248955 CET	443	49761	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:34.677675009 CET	49765	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:34.677711010 CET	443	49765	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:34.678430080 CET	49760	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:34.678435087 CET	49761	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:34.678459883 CET	49765	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:34.680156946 CET	49765	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:34.680170059 CET	443	49765	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:34.682327986 CET	49762	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:34.682349920 CET	443	49762	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:34.682404041 CET	49762	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:34.682684898 CET	443	49762	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:34.692986012 CET	49762	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:34.814138889 CET	443	49763	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:34.814233065 CET	49763	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:34.865516901 CET	49763	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:34.865565062 CET	443	49763	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:34.866445065 CET	443	49763	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:34.891628981 CET	49763	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:34.891731977 CET	49763	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:34.891846895 CET	443	49763	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:34.891920090 CET	49763	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:35.944178104 CET	443	49765	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:35.944359064 CET	49765	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:35.997853994 CET	49765	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:36.324009895 CET	49765	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:36.324100971 CET	443	49765	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:36.324132919 CET	49765	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:36.324356079 CET	443	49765	34.117.188.166	192.168.2.4
Nov 24, 2024 04:20:36.324574947 CET	49765	443	192.168.2.4	34.117.188.166
Nov 24, 2024 04:20:36.325053930 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:36.326314926 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:36.326353073 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:36.327472925 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:36.328844070 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:36.328855991 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:36.444509029 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:36.598769903 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:36.598823071 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:36.599459887 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:36.599550962 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:36.599628925 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:36.599864006 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:36.599883080 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:36.600961924 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:36.601125956 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:36.601156950 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:36.668246984 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:36.722055912 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:36.845978022 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:36.965681076 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:37.171224117 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:37.223562956 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:37.585988045 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:37.586087942 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:37.677027941 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:37.677061081 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:37.677130938 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:37.677218914 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:37.677282095 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:37.782847881 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:37.863559008 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:37.872282982 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:37.902340889 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:37.909514904 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:37.909615040 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:38.001185894 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:38.001205921 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:38.001537085 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:38.005460024 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:38.005486965 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:38.005827904 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:38.008620024 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:38.008753061 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:38.008802891 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:38.008837938 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:38.008903027 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:38.009011030 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:38.009037018 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 04:20:38.009124994 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 04:20:38.098546982 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:38.157330036 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:38.272924900 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:38.281037092 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:38.295306921 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:38.295356035 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:38.296367884 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:38.297789097 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:38.297805071 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:38.392384052 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:38.400497913 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:38.598104000 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:38.603077888 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:38.643217087 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:38.643223047 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:39.560245991 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:39.560323954 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:39.658391953 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:39.658426046 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:39.658483982 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:39.658752918 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:39.660192966 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:40.792018890 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:40.845053911 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:40.911569118 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:40.964535952 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:41.115906954 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:41.159827948 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:41.166495085 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:41.222749949 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:42.828706980 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:42.948286057 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:43.152620077 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:43.203725100 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:46.561671019 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:46.681150913 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:46.876331091 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:46.880815983 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:46.924333096 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:47.000283003 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:47.204618931 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:47.256470919 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:49.309747934 CET	49772	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:49.309787035 CET	443	49772	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:49.310745955 CET	49772	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:49.310866117 CET	49772	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:49.310875893 CET	443	49772	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:49.313560009 CET	49773	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:49.313586950 CET	443	49773	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:49.313867092 CET	49773	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:49.313978910 CET	49773	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:49.313992023 CET	443	49773	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:49.335480928 CET	49774	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:49.335500002 CET	443	49774	35.190.72.216	192.168.2.4
Nov 24, 2024 04:20:49.336707115 CET	49774	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:49.338150024 CET	49774	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:49.338160038 CET	443	49774	35.190.72.216	192.168.2.4
Nov 24, 2024 04:20:49.462963104 CET	49775	443	192.168.2.4	151.101.1.91
Nov 24, 2024 04:20:49.462999105 CET	443	49775	151.101.1.91	192.168.2.4
Nov 24, 2024 04:20:49.467217922 CET	49775	443	192.168.2.4	151.101.1.91
Nov 24, 2024 04:20:49.467459917 CET	49775	443	192.168.2.4	151.101.1.91
Nov 24, 2024 04:20:49.467472076 CET	443	49775	151.101.1.91	192.168.2.4
Nov 24, 2024 04:20:49.649190903 CET	49776	443	192.168.2.4	35.201.103.21
Nov 24, 2024 04:20:49.649229050 CET	443	49776	35.201.103.21	192.168.2.4
Nov 24, 2024 04:20:49.649497986 CET	49776	443	192.168.2.4	35.201.103.21
Nov 24, 2024 04:20:49.650917053 CET	49776	443	192.168.2.4	35.201.103.21
Nov 24, 2024 04:20:49.650928020 CET	443	49776	35.201.103.21	192.168.2.4
Nov 24, 2024 04:20:50.655021906 CET	443	49774	35.190.72.216	192.168.2.4
Nov 24, 2024 04:20:50.655108929 CET	49774	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:50.659604073 CET	49774	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:50.659614086 CET	443	49774	35.190.72.216	192.168.2.4
Nov 24, 2024 04:20:50.659739017 CET	49774	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:50.659807920 CET	443	49774	35.190.72.216	192.168.2.4
Nov 24, 2024 04:20:50.661334991 CET	49774	443	192.168.2.4	35.190.72.216
Nov 24, 2024 04:20:50.663158894 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:50.689193010 CET	443	49772	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:50.689366102 CET	49772	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.690423965 CET	443	49773	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:50.692441940 CET	49772	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.692449093 CET	443	49772	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:50.692636967 CET	49773	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:50.692732096 CET	443	49772	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:50.695400953 CET	49773	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:50.695409060 CET	443	49773	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:50.695662975 CET	443	49773	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:50.698976994 CET	49772	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.698976994 CET	49772	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.699189901 CET	49773	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:50.699206114 CET	443	49772	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:50.699238062 CET	49773	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:50.699337959 CET	443	49773	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:50.699456930 CET	49772	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.699465990 CET	49773	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:50.777380943 CET	443	49775	151.101.1.91	192.168.2.4
Nov 24, 2024 04:20:50.777467012 CET	49775	443	192.168.2.4	151.101.1.91
Nov 24, 2024 04:20:50.780750990 CET	49775	443	192.168.2.4	151.101.1.91
Nov 24, 2024 04:20:50.780756950 CET	443	49775	151.101.1.91	192.168.2.4
Nov 24, 2024 04:20:50.781172991 CET	443	49775	151.101.1.91	192.168.2.4
Nov 24, 2024 04:20:50.782607079 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:50.783818960 CET	49775	443	192.168.2.4	151.101.1.91
Nov 24, 2024 04:20:50.783909082 CET	49775	443	192.168.2.4	151.101.1.91
Nov 24, 2024 04:20:50.784004927 CET	443	49775	151.101.1.91	192.168.2.4
Nov 24, 2024 04:20:50.786936998 CET	49775	443	192.168.2.4	151.101.1.91
Nov 24, 2024 04:20:50.792164087 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.792196035 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:50.792701006 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.792931080 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.792943954 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:50.794241905 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.794272900 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:50.795452118 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.795562983 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.795574903 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:50.796540976 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.796550035 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:50.796627045 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.796719074 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:50.796725035 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:50.812726974 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:50.812798023 CET	443	49780	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:50.813060045 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:50.814493895 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:50.814527988 CET	443	49780	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:51.237490892 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:51.241172075 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:51.252327919 CET	443	49776	35.201.103.21	192.168.2.4
Nov 24, 2024 04:20:51.252465010 CET	49776	443	192.168.2.4	35.201.103.21
Nov 24, 2024 04:20:51.257927895 CET	49776	443	192.168.2.4	35.201.103.21
Nov 24, 2024 04:20:51.257937908 CET	443	49776	35.201.103.21	192.168.2.4
Nov 24, 2024 04:20:51.258049011 CET	49776	443	192.168.2.4	35.201.103.21
Nov 24, 2024 04:20:51.258116961 CET	443	49776	35.201.103.21	192.168.2.4
Nov 24, 2024 04:20:51.259385109 CET	49776	443	192.168.2.4	35.201.103.21
Nov 24, 2024 04:20:51.261389017 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:51.272526979 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:51.272577047 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:51.278455973 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:51.278572083 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:51.278584003 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:51.355887890 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:51.355951071 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:51.360799074 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:51.380856037 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:51.565038919 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:51.575973034 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:51.579224110 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:51.622504950 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:51.698633909 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:51.903976917 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:51.954652071 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:52.375236034 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.375328064 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.375777960 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.375973940 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.378077984 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.378086090 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.378324032 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.380390882 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.380395889 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.380712032 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.383447886 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.383547068 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.383594990 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.383744955 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.383791924 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.383924961 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.383934975 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.384110928 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.388621092 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:52.421202898 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.421307087 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.424233913 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.424242020 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.424473047 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.427158117 CET	443	49780	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:52.427333117 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.427453041 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.427467108 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:52.427496910 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 04:20:52.431355953 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:52.431395054 CET	443	49780	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:52.431422949 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:52.431535006 CET	443	49780	34.107.243.93	192.168.2.4
Nov 24, 2024 04:20:52.432545900 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 04:20:52.432576895 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:20:52.508080959 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:52.543540001 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:52.543689966 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:52.547096014 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:52.547105074 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:52.548175097 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:52.549717903 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:52.549818993 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:52.550157070 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 04:20:52.550791979 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:52.550791979 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 04:20:52.709693909 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:52.713452101 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:52.756985903 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:20:52.832978964 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:53.037523985 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:20:53.089080095 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:02.719547987 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:02.839303970 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:03.040224075 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:03.159707069 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:12.846837997 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:12.854151964 CET	49814	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:12.854208946 CET	443	49814	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:12.854296923 CET	49814	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:12.856304884 CET	49814	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:12.856329918 CET	443	49814	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:12.966279984 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:13.170260906 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:13.289707899 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:14.159017086 CET	443	49814	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:14.159111977 CET	49814	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:14.164997101 CET	49814	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:14.165009022 CET	443	49814	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:14.165143967 CET	49814	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:14.165150881 CET	443	49814	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:14.165162086 CET	443	49814	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:14.165426016 CET	49814	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:14.168368101 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:14.287880898 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:14.484688044 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:14.488059044 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:14.536346912 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:14.607548952 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:14.811933041 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:14.852900028 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:24.497729063 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:24.617214918 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:24.814286947 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:24.933836937 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:34.631635904 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:34.751053095 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:34.934426069 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:35.053842068 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:44.761522055 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:44.880975962 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:45.062458038 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:45.181988001 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:54.322026968 CET	49906	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:54.322092056 CET	443	49906	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:54.322194099 CET	49906	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:54.323703051 CET	49906	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:54.323739052 CET	443	49906	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:54.891273022 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:55.010782957 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:55.192151070 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:55.311608076 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:55.583148956 CET	443	49906	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:55.583237886 CET	49906	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:55.589426041 CET	49906	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:55.589451075 CET	443	49906	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:55.589517117 CET	49906	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:55.589709997 CET	443	49906	34.107.243.93	192.168.2.4
Nov 24, 2024 04:21:55.589854956 CET	49906	443	192.168.2.4	34.107.243.93
Nov 24, 2024 04:21:55.592725992 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:55.712233067 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:55.907835960 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:55.922003031 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:55.978893042 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:21:56.041475058 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:56.246253014 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:21:56.295475960 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:22:05.923177958 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:22:06.042613029 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:22:06.255337954 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:22:06.374859095 CET	80	49752	34.107.221.82	192.168.2.4
Nov 24, 2024 04:22:16.048460960 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:22:16.167887926 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 04:22:16.380595922 CET	49752	80	192.168.2.4	34.107.221.82
Nov 24, 2024 04:22:16.500107050 CET	80	49752	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 04:20:20.791764975 CET	58430	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:21.089692116 CET	53	58430	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:21.090652943 CET	59043	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:21.339521885 CET	53	59043	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:24.393796921 CET	59191	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:24.880773067 CET	56039	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:24.970465899 CET	64024	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:25.017864943 CET	53	56039	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:25.018513918 CET	59279	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:25.108040094 CET	53	64024	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:25.109129906 CET	52190	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:25.161900997 CET	53	59279	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:25.248603106 CET	53	52190	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:25.249265909 CET	51336	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:25.303116083 CET	56884	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:25.366559982 CET	62648	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:25.388190985 CET	53	51336	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:25.440973043 CET	53	56884	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:25.441993952 CET	65388	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:25.504759073 CET	53	62648	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:25.579721928 CET	53	65388	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:25.580414057 CET	61302	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:25.717633963 CET	53	61302	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:25.772121906 CET	61156	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:25.880147934 CET	58836	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:25.908974886 CET	53	61156	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:25.909598112 CET	62406	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:26.018120050 CET	53	58836	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:26.021073103 CET	65278	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:26.046633959 CET	50032	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:26.051898003 CET	53	62406	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:26.159039021 CET	53	65278	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:26.162229061 CET	56310	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:26.259959936 CET	53	50032	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:26.260657072 CET	60171	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:26.300482988 CET	53	56310	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:26.399085045 CET	53	60171	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:26.476756096 CET	59964	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:26.477009058 CET	56173	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:26.546274900 CET	55089	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:26.613600969 CET	53	56173	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:26.616144896 CET	53	59964	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:26.726357937 CET	62410	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:27.628153086 CET	57494	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:27.689547062 CET	53	53212	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:27.766076088 CET	53	57494	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:27.771114111 CET	62768	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:27.909179926 CET	53	62768	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:27.910181046 CET	62336	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:28.046971083 CET	53	62336	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:28.941239119 CET	55163	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:29.078845978 CET	53	55163	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:29.079813004 CET	51416	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:29.216543913 CET	53	51416	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:31.351011038 CET	55147	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:31.488023043 CET	53	55147	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:31.489115953 CET	52753	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:31.627196074 CET	53	52753	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:31.633017063 CET	54829	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:31.771043062 CET	53	54829	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:32.929198027 CET	61852	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:33.065994978 CET	53	61852	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:33.082308054 CET	55028	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:33.219427109 CET	53	55028	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:33.220273018 CET	64783	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:33.357039928 CET	53	64783	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:33.602839947 CET	58458	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:33.740871906 CET	53	58458	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:36.329612970 CET	52928	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:36.466955900 CET	53	52928	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:38.295577049 CET	50583	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:38.432482958 CET	53	50583	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:42.812244892 CET	63235	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:42.812246084 CET	63203	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:42.812774897 CET	60034	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:42.949656010 CET	53	63235	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:42.949757099 CET	53	60034	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:42.949878931 CET	53	63203	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:42.951180935 CET	53324	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:42.951180935 CET	52215	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:42.951986074 CET	52780	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:43.088248014 CET	53	53324	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.089135885 CET	53	52215	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.090084076 CET	53	52780	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.092313051 CET	57676	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:43.092591047 CET	64995	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:43.092818975 CET	49599	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:43.229132891 CET	53	64995	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.231031895 CET	53	57676	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.232728004 CET	63904	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:43.233089924 CET	57862	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:43.305450916 CET	53	49599	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.370045900 CET	53	57862	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.370672941 CET	53	63904	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.370974064 CET	63834	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:43.371611118 CET	57758	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:43.507972002 CET	53	63834	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.508927107 CET	51547	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:43.608933926 CET	53	57758	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.610011101 CET	64279	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:43.646744967 CET	53	51547	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:43.751056910 CET	53	64279	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:49.308823109 CET	59836	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:49.310194969 CET	49791	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:49.339111090 CET	52697	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:49.446650028 CET	53	59836	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:49.449246883 CET	53	49791	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:49.463630915 CET	52810	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:49.601404905 CET	53	52810	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:49.604134083 CET	63588	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:49.647777081 CET	53	52697	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:49.649424076 CET	64844	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:49.741889000 CET	53	63588	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:49.877641916 CET	53	64844	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:49.878572941 CET	53886	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:50.093698025 CET	53	53886	1.1.1.1	192.168.2.4
Nov 24, 2024 04:20:50.812926054 CET	55643	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:20:51.237447023 CET	53	55643	1.1.1.1	192.168.2.4
Nov 24, 2024 04:21:12.854887009 CET	49647	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:21:12.991921902 CET	53	49647	1.1.1.1	192.168.2.4
Nov 24, 2024 04:21:54.178924084 CET	51142	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:21:54.320414066 CET	53	51142	1.1.1.1	192.168.2.4
Nov 24, 2024 04:21:54.321578026 CET	51470	53	192.168.2.4	1.1.1.1
Nov 24, 2024 04:21:54.459943056 CET	53	51470	1.1.1.1	192.168.2.4
Nov 24, 2024 04:21:55.593004942 CET	60335	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 04:20:20.791764975 CET	192.168.2.4	1.1.1.1	0x7875	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:21.090652943 CET	192.168.2.4	1.1.1.1	0x7a00	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 04:20:24.393796921 CET	192.168.2.4	1.1.1.1	0xdb50	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:24.880773067 CET	192.168.2.4	1.1.1.1	0x3aa0	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:24.970465899 CET	192.168.2.4	1.1.1.1	0x253e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.018513918 CET	192.168.2.4	1.1.1.1	0x96a2	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 04:20:25.109129906 CET	192.168.2.4	1.1.1.1	0xd048	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.249265909 CET	192.168.2.4	1.1.1.1	0xd7c3	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 24, 2024 04:20:25.303116083 CET	192.168.2.4	1.1.1.1	0x9d6d	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.366559982 CET	192.168.2.4	1.1.1.1	0x6d0e	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.441993952 CET	192.168.2.4	1.1.1.1	0x47e6	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.580414057 CET	192.168.2.4	1.1.1.1	0x7e8a	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 04:20:25.772121906 CET	192.168.2.4	1.1.1.1	0x2633	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.880147934 CET	192.168.2.4	1.1.1.1	0x199d	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.909598112 CET	192.168.2.4	1.1.1.1	0x5905	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 04:20:26.021073103 CET	192.168.2.4	1.1.1.1	0x3463	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.046633959 CET	192.168.2.4	1.1.1.1	0x31c2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.162229061 CET	192.168.2.4	1.1.1.1	0x8476	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 04:20:26.260657072 CET	192.168.2.4	1.1.1.1	0x32e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 04:20:26.476756096 CET	192.168.2.4	1.1.1.1	0x3115	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.477009058 CET	192.168.2.4	1.1.1.1	0x26be	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.546274900 CET	192.168.2.4	1.1.1.1	0xf952	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.726357937 CET	192.168.2.4	1.1.1.1	0x56c0	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:27.628153086 CET	192.168.2.4	1.1.1.1	0xfff3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:27.771114111 CET	192.168.2.4	1.1.1.1	0x53ac	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:27.910181046 CET	192.168.2.4	1.1.1.1	0xa788	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 04:20:28.941239119 CET	192.168.2.4	1.1.1.1	0x15db	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:29.079813004 CET	192.168.2.4	1.1.1.1	0xb392	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 04:20:31.351011038 CET	192.168.2.4	1.1.1.1	0xa24d	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:31.489115953 CET	192.168.2.4	1.1.1.1	0x4c6a	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:31.633017063 CET	192.168.2.4	1.1.1.1	0xc763	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 04:20:32.929198027 CET	192.168.2.4	1.1.1.1	0x6622	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:33.082308054 CET	192.168.2.4	1.1.1.1	0x1be9	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:33.220273018 CET	192.168.2.4	1.1.1.1	0xa059	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 04:20:33.602839947 CET	192.168.2.4	1.1.1.1	0xa2c5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 04:20:36.329612970 CET	192.168.2.4	1.1.1.1	0x46ad	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 04:20:38.295577049 CET	192.168.2.4	1.1.1.1	0xf8f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 04:20:42.812244892 CET	192.168.2.4	1.1.1.1	0x33fa	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.812246084 CET	192.168.2.4	1.1.1.1	0x486d	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.812774897 CET	192.168.2.4	1.1.1.1	0x4ce0	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.951180935 CET	192.168.2.4	1.1.1.1	0xe759	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.951180935 CET	192.168.2.4	1.1.1.1	0x5858	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.951986074 CET	192.168.2.4	1.1.1.1	0x97da	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.092313051 CET	192.168.2.4	1.1.1.1	0x3bba	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 24, 2024 04:20:43.092591047 CET	192.168.2.4	1.1.1.1	0x1ef2	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 24, 2024 04:20:43.092818975 CET	192.168.2.4	1.1.1.1	0xd49d	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 24, 2024 04:20:43.232728004 CET	192.168.2.4	1.1.1.1	0xf11a	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.233089924 CET	192.168.2.4	1.1.1.1	0xf2cf	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.370974064 CET	192.168.2.4	1.1.1.1	0x230b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.371611118 CET	192.168.2.4	1.1.1.1	0x221	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.508927107 CET	192.168.2.4	1.1.1.1	0x1126	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 24, 2024 04:20:43.610011101 CET	192.168.2.4	1.1.1.1	0x226f	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 24, 2024 04:20:49.308823109 CET	192.168.2.4	1.1.1.1	0x3170	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.310194969 CET	192.168.2.4	1.1.1.1	0x13d3	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 04:20:49.339111090 CET	192.168.2.4	1.1.1.1	0x80c	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.463630915 CET	192.168.2.4	1.1.1.1	0x6e4d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.604134083 CET	192.168.2.4	1.1.1.1	0xf728	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 24, 2024 04:20:49.649424076 CET	192.168.2.4	1.1.1.1	0xde45	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.878572941 CET	192.168.2.4	1.1.1.1	0x772f	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 04:20:50.812926054 CET	192.168.2.4	1.1.1.1	0xeefc	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 04:21:12.854887009 CET	192.168.2.4	1.1.1.1	0x5c09	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 04:21:54.178924084 CET	192.168.2.4	1.1.1.1	0x801d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:21:54.321578026 CET	192.168.2.4	1.1.1.1	0x65f6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 04:21:55.593004942 CET	192.168.2.4	1.1.1.1	0xefda	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 04:20:20.788156986 CET	1.1.1.1	192.168.2.4	0x2cfc	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:21.089692116 CET	1.1.1.1	192.168.2.4	0x7875	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:24.879436970 CET	1.1.1.1	192.168.2.4	0xdb50	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:24.879436970 CET	1.1.1.1	192.168.2.4	0xdb50	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.017864943 CET	1.1.1.1	192.168.2.4	0x3aa0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.108040094 CET	1.1.1.1	192.168.2.4	0x253e	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.161900997 CET	1.1.1.1	192.168.2.4	0x96a2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 04:20:25.248603106 CET	1.1.1.1	192.168.2.4	0xd048	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.388190985 CET	1.1.1.1	192.168.2.4	0xd7c3	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 24, 2024 04:20:25.440973043 CET	1.1.1.1	192.168.2.4	0x9d6d	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.504759073 CET	1.1.1.1	192.168.2.4	0x6d0e	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:25.504759073 CET	1.1.1.1	192.168.2.4	0x6d0e	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.579721928 CET	1.1.1.1	192.168.2.4	0x47e6	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:25.908974886 CET	1.1.1.1	192.168.2.4	0x2633	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.018120050 CET	1.1.1.1	192.168.2.4	0x199d	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:26.018120050 CET	1.1.1.1	192.168.2.4	0x199d	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:26.018120050 CET	1.1.1.1	192.168.2.4	0x199d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.044684887 CET	1.1.1.1	192.168.2.4	0x7701	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:26.044684887 CET	1.1.1.1	192.168.2.4	0x7701	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.159039021 CET	1.1.1.1	192.168.2.4	0x3463	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.259959936 CET	1.1.1.1	192.168.2.4	0x31c2	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.300482988 CET	1.1.1.1	192.168.2.4	0x8476	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 04:20:26.613600969 CET	1.1.1.1	192.168.2.4	0x26be	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.613600969 CET	1.1.1.1	192.168.2.4	0x26be	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.616144896 CET	1.1.1.1	192.168.2.4	0x3115	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:26.683682919 CET	1.1.1.1	192.168.2.4	0xf952	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:26.683682919 CET	1.1.1.1	192.168.2.4	0xf952	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:27.193720102 CET	1.1.1.1	192.168.2.4	0x56c0	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:27.766076088 CET	1.1.1.1	192.168.2.4	0xfff3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:27.909179926 CET	1.1.1.1	192.168.2.4	0x53ac	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:28.939420938 CET	1.1.1.1	192.168.2.4	0x3d30	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:29.078845978 CET	1.1.1.1	192.168.2.4	0x15db	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:31.488023043 CET	1.1.1.1	192.168.2.4	0xa24d	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:31.488023043 CET	1.1.1.1	192.168.2.4	0xa24d	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:31.488023043 CET	1.1.1.1	192.168.2.4	0xa24d	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:31.627196074 CET	1.1.1.1	192.168.2.4	0x4c6a	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:33.032046080 CET	1.1.1.1	192.168.2.4	0x9c28	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:33.065994978 CET	1.1.1.1	192.168.2.4	0x6622	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:33.065994978 CET	1.1.1.1	192.168.2.4	0x6622	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:33.219427109 CET	1.1.1.1	192.168.2.4	0x1be9	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:33.598694086 CET	1.1.1.1	192.168.2.4	0x69b2	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:33.598694086 CET	1.1.1.1	192.168.2.4	0x69b2	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949656010 CET	1.1.1.1	192.168.2.4	0x33fa	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949656010 CET	1.1.1.1	192.168.2.4	0x33fa	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949757099 CET	1.1.1.1	192.168.2.4	0x4ce0	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949878931 CET	1.1.1.1	192.168.2.4	0x486d	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:42.949878931 CET	1.1.1.1	192.168.2.4	0x486d	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.088248014 CET	1.1.1.1	192.168.2.4	0xe759	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.088248014 CET	1.1.1.1	192.168.2.4	0xe759	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.088248014 CET	1.1.1.1	192.168.2.4	0xe759	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.088248014 CET	1.1.1.1	192.168.2.4	0xe759	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.088248014 CET	1.1.1.1	192.168.2.4	0xe759	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.088248014 CET	1.1.1.1	192.168.2.4	0xe759	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.088248014 CET	1.1.1.1	192.168.2.4	0xe759	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.088248014 CET	1.1.1.1	192.168.2.4	0xe759	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.088248014 CET	1.1.1.1	192.168.2.4	0xe759	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.088248014 CET	1.1.1.1	192.168.2.4	0xe759	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.089135885 CET	1.1.1.1	192.168.2.4	0x5858	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.090084076 CET	1.1.1.1	192.168.2.4	0x97da	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.229132891 CET	1.1.1.1	192.168.2.4	0x1ef2	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 24, 2024 04:20:43.231031895 CET	1.1.1.1	192.168.2.4	0x3bba	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 04:20:43.231031895 CET	1.1.1.1	192.168.2.4	0x3bba	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 04:20:43.231031895 CET	1.1.1.1	192.168.2.4	0x3bba	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 04:20:43.231031895 CET	1.1.1.1	192.168.2.4	0x3bba	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 04:20:43.305450916 CET	1.1.1.1	192.168.2.4	0xd49d	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 24, 2024 04:20:43.370045900 CET	1.1.1.1	192.168.2.4	0xf2cf	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.370045900 CET	1.1.1.1	192.168.2.4	0xf2cf	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.370045900 CET	1.1.1.1	192.168.2.4	0xf2cf	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.370045900 CET	1.1.1.1	192.168.2.4	0xf2cf	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.370672941 CET	1.1.1.1	192.168.2.4	0xf11a	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:43.370672941 CET	1.1.1.1	192.168.2.4	0xf11a	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.370672941 CET	1.1.1.1	192.168.2.4	0xf11a	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.370672941 CET	1.1.1.1	192.168.2.4	0xf11a	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.370672941 CET	1.1.1.1	192.168.2.4	0xf11a	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.507972002 CET	1.1.1.1	192.168.2.4	0x230b	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.608933926 CET	1.1.1.1	192.168.2.4	0x221	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.608933926 CET	1.1.1.1	192.168.2.4	0x221	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.608933926 CET	1.1.1.1	192.168.2.4	0x221	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:43.608933926 CET	1.1.1.1	192.168.2.4	0x221	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.446650028 CET	1.1.1.1	192.168.2.4	0x3170	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.446650028 CET	1.1.1.1	192.168.2.4	0x3170	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.446650028 CET	1.1.1.1	192.168.2.4	0x3170	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.446650028 CET	1.1.1.1	192.168.2.4	0x3170	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.601404905 CET	1.1.1.1	192.168.2.4	0x6e4d	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.601404905 CET	1.1.1.1	192.168.2.4	0x6e4d	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.601404905 CET	1.1.1.1	192.168.2.4	0x6e4d	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.601404905 CET	1.1.1.1	192.168.2.4	0x6e4d	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.647777081 CET	1.1.1.1	192.168.2.4	0x80c	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:49.647777081 CET	1.1.1.1	192.168.2.4	0x80c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:49.741889000 CET	1.1.1.1	192.168.2.4	0xf728	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 04:20:49.741889000 CET	1.1.1.1	192.168.2.4	0xf728	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 04:20:49.741889000 CET	1.1.1.1	192.168.2.4	0xf728	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 04:20:49.741889000 CET	1.1.1.1	192.168.2.4	0xf728	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 04:20:49.877641916 CET	1.1.1.1	192.168.2.4	0xde45	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:20:53.242307901 CET	1.1.1.1	192.168.2.4	0x97a3	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:20:53.242307901 CET	1.1.1.1	192.168.2.4	0x97a3	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:21:54.320414066 CET	1.1.1.1	192.168.2.4	0x801d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 04:21:55.729729891 CET	1.1.1.1	192.168.2.4	0xefda	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 04:21:55.729729891 CET	1.1.1.1	192.168.2.4	0xefda	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	34.107.221.82	80	7860	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 04:20:25.286000967 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:26.417850971 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34934 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:26.910334110 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:27.234252930 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34935 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49747	34.107.221.82	80	7860	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 04:20:26.804692030 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49752	34.107.221.82	80	7860	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 04:20:27.769788027 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:28.902771950 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75831 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:20:32.890450954 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:33.214174986 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75836 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:20:33.703227043 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:34.026880980 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75836 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:20:36.845978022 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:37.171224117 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75840 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:20:38.272924900 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:38.603077888 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75841 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:20:40.792018890 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:41.115906954 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75843 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:20:42.828706980 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:43.152620077 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75845 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:20:46.880815983 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:47.204618931 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75850 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:20:51.241172075 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:51.565038919 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75854 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:20:51.579224110 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:51.903976917 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75854 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:20:52.713452101 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:20:53.037523985 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75855 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:21:03.040224075 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:13.170260906 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:14.488059044 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:21:14.811933041 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75877 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:21:24.814286947 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:34.934426069 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:45.062458038 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:55.192151070 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:55.922003031 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 04:21:56.246253014 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 75919 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 04:22:06.255337954 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:22:16.380595922 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49753	34.107.221.82	80	7860	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 04:20:27.782794952 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:28.868217945 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34936 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:32.890857935 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:33.206419945 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34941 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:36.325053930 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:36.668246984 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34944 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:37.782847881 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:38.098546982 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34945 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:38.281037092 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:38.598104000 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34946 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:40.845053911 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:41.159827948 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34949 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:46.561671019 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:46.876331091 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34954 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:50.663158894 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:51.237490892 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34958 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:51.261389017 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:51.355887890 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34958 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:51.575973034 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34959 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:20:52.388621092 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:20:52.709693909 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34960 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:21:02.719547987 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:12.846837997 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:14.168368101 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:21:14.484688044 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 34982 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:21:24.497729063 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:34.631635904 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:44.761522055 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:54.891273022 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:21:55.592725992 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 04:21:55.907835960 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 35023 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 04:22:05.923177958 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 04:22:16.048460960 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	22:20:10
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x950000
File size:	922'112 bytes
MD5 hash:	4676050A0EF5A185953AB79D47CB8585
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:20:10
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xbc0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:20:10
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:20:13
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xbc0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:20:13
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:20:14
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xbc0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:20:14
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:20:14
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xbc0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:20:14
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:20:15
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xbc0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:20:15
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:20:15
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:20:15
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:20:15
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	22:20:18
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd69434-b1bf-4028-b798-7c4ee918bc54} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14edf76f710 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	22:20:22
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -parentBuildID 20230927232528 -prefsHandle 3808 -prefMapHandle 2780 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81a23b37-65e5-4176-a8ce-8938ffe3cfe9} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14ef1865210 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	22:20:32
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5500 -prefMapHandle 5476 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69513a0f-09df-48a4-80b6-37d61aa73f6e} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 14edf774310 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	1556
Total number of Limit Nodes:	48

Executed Functions

Function 009542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0095430D

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

GetCurrentProcess.KERNEL32(?,009ECB64,00000000,?,?), ref: 00954422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00954429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00954454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00954466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00954474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0095447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009544A0

Strings

kernel32.dll, xrefs: 0095444F
GetNativeSystemInfo, xrefs: 00954460
|O, xrefs: 009936F8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 6896e344eeb3273f510924be525e1720a80c33930ee770a350959ac9e567df7c
Instruction ID: 3219491e4de0a28b236f723b36ddca7ae09ae898ed1ed5c34bf71610aaf99678
Opcode Fuzzy Hash: 6896e344eeb3273f510924be525e1720a80c33930ee770a350959ac9e567df7c
Instruction Fuzzy Hash: 04A1A56191E2C0CFCBB1CBEE78851B57FE76B76305B0458B9D4819FA21D2248A4BDB21

Function 009542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009550AA,?,?,00000000,00000000), ref: 009542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009550AA,?,?,00000000,00000000), ref: 009542C9
LoadResource.KERNEL32(?,00000000,?,?,009550AA,?,?,00000000,00000000,?,?,?,?,?,?,00954F20), ref: 009935BE
SizeofResource.KERNEL32(?,00000000,?,?,009550AA,?,?,00000000,00000000,?,?,?,?,?,?,00954F20), ref: 009935D3
LockResource.KERNEL32(009550AA,?,?,009550AA,?,?,00000000,00000000,?,?,?,?,?,?,00954F20,?), ref: 009935E6

Strings

SCRIPT, xrefs: 009542BF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 410ae080ce43f5b90a34326f142cc04f58a114db19838c479993d8b7712c9b06
Instruction ID: 859bdd2cc9274e65680d39e4b80b3988812e1cb377d7a3031eb47cd3a674c562
Opcode Fuzzy Hash: 410ae080ce43f5b90a34326f142cc04f58a114db19838c479993d8b7712c9b06
Instruction Fuzzy Hash: 1311ACB0200301BFDB218B6ADC88F277BBDEBC5B56F148169B9628A250DB71DC069620

Function 00992BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00952B6B

Part of subcall function 00953A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A21418,?,00952E7F,?,?,?,00000000), ref: 00953A78

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00A12224), ref: 00992C10
ShellExecuteW.SHELL32(00000000,?,?,00A12224), ref: 00992C17

Strings

runas, xrefs: 00992C0B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 4745aca4ab503522b5ef4d09899d55c3a9da6e35c7c3a8296c830c897dcc405b
Instruction ID: 657724056249d440f0762b02fcb100c3a4ea5e6669d457003c5320fbfc15f2d6
Opcode Fuzzy Hash: 4745aca4ab503522b5ef4d09899d55c3a9da6e35c7c3a8296c830c897dcc405b
Instruction Fuzzy Hash: 3911E771608345AAC714FF75E851BBD77A8AFE2342F44483CF986420A2DF30894EC712

Function 009BD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009BD501
Process32FirstW.KERNEL32(00000000,?), ref: 009BD50F
Process32NextW.KERNEL32(00000000,?), ref: 009BD52F
CloseHandle.KERNELBASE(00000000), ref: 009BD5DC

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: dee7bcd8a0472a84375ead7271cccb0a3ea32b138378ce8ff1c46aac4b5e6bdf
Instruction ID: d751b9f52cad29f37c0a9b832f90fe50627771df250dda521168a645a0e95849
Opcode Fuzzy Hash: dee7bcd8a0472a84375ead7271cccb0a3ea32b138378ce8ff1c46aac4b5e6bdf
Instruction Fuzzy Hash: CB318D711083409FD311EF54C881BAFBBE8EFD9354F14092DF985871A2EB71A949CBA2

Function 009BDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00995222), ref: 009BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 009BDBDD
FindFirstFileW.KERNEL32(?,?), ref: 009BDBEE
FindClose.KERNEL32(00000000), ref: 009BDBFA

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: cc5cefd24ae9586b6510a3a0e5f4bf7226f24d8e9c46beab56063db2c257826d
Instruction ID: 0ae733701aeb337cd6bd92596a19319d3fe2a19bb7b18aa72dccebe082dab7d3
Opcode Fuzzy Hash: cc5cefd24ae9586b6510a3a0e5f4bf7226f24d8e9c46beab56063db2c257826d
Instruction Fuzzy Hash: 98F02B708299109782206B7CEE4E8EA3B6C9E01334B104702F9F6C21F0FBF09D56D6D5

Function 00974CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009828E9,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002,00000000,?,009828E9), ref: 00974D09
TerminateProcess.KERNEL32(00000000,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002,00000000,?,009828E9), ref: 00974D10
ExitProcess.KERNEL32 ref: 00974D22

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 51909308866290b53ccc89c3521cc2fabd9356aebf86595a803315794008cb80
Instruction ID: 81714a3c4f62192d30106ca68d4f7a63b5406eb1e49cac10d1faa274141650d3
Opcode Fuzzy Hash: 51909308866290b53ccc89c3521cc2fabd9356aebf86595a803315794008cb80
Instruction Fuzzy Hash: 79E0B672014188AFCF21AF54DD5AA583B69EB81781B118014FC999E263DB35ED52DB80

Function 009DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 009DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DB1D4
_wcslen.LIBCMT ref: 009DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DB236
_wcslen.LIBCMT ref: 009DB332

Part of subcall function 009C05A7: GetStdHandle.KERNEL32(000000F6), ref: 009C05C6

_wcslen.LIBCMT ref: 009DB34B
_wcslen.LIBCMT ref: 009DB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009DB3B6
GetLastError.KERNEL32(00000000), ref: 009DB407
CloseHandle.KERNEL32(?), ref: 009DB439
CloseHandle.KERNEL32(00000000), ref: 009DB44A
CloseHandle.KERNEL32(00000000), ref: 009DB45C
CloseHandle.KERNEL32(00000000), ref: 009DB46E
CloseHandle.KERNEL32(?), ref: 009DB4E3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 4212a63099f4d74cc8c97a198b8d0132f00238213bab35d2f92348db0ef72c57
Instruction ID: 52564c712c728030ca8fb63baef13a39161cc5c05c76bfeef3cb9608ce604bda
Opcode Fuzzy Hash: 4212a63099f4d74cc8c97a198b8d0132f00238213bab35d2f92348db0ef72c57
Instruction Fuzzy Hash: 92F18832608340DFC714EF25D891B2ABBE5AF85714F15895EF8998B3A2DB31EC05CB52

Function 0095D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0095D807
timeGetTime.WINMM ref: 0095DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0095DB28
TranslateMessage.USER32(?), ref: 0095DB7B
DispatchMessageW.USER32(?), ref: 0095DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0095DB9F
Sleep.KERNELBASE(0000000A), ref: 0095DBB1

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 74c9ed9ff062aebb72d3edea65deb90c1595802791e71ad1046781eb340aec3b
Instruction ID: 436b7e5be2dbad4b11e8a7e5daf4cfde6d5b1811fa99252f703e014e9a0ddebc
Opcode Fuzzy Hash: 74c9ed9ff062aebb72d3edea65deb90c1595802791e71ad1046781eb340aec3b
Instruction Fuzzy Hash: 00421470609341DFD734CF29C894BAAB7E5BF86305F14892DF89587291D774E849CB82

Function 00952CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00952D07
RegisterClassExW.USER32(00000030), ref: 00952D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00952D42
InitCommonControlsEx.COMCTL32(?), ref: 00952D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00952D6F
LoadIconW.USER32(000000A9), ref: 00952D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00952D94

Strings

TaskbarCreated, xrefs: 00952D37
+, xrefs: 00952CF0
0, xrefs: 00952CE9
AutoIt v3 GUI, xrefs: 00952D23

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 58edf0f24ca58202e7a4e8096b78a8e139ecb0c07098605b467e39095ef50606
Instruction ID: 14eee6303cf03b2357b0dcb83f586d0f0797196e8f7c24648aecd16b3fa35fe2
Opcode Fuzzy Hash: 58edf0f24ca58202e7a4e8096b78a8e139ecb0c07098605b467e39095ef50606
Instruction Fuzzy Hash: 7221F7B5911348AFDB10DFE8EC89BEDBBB4FB08705F00412AF551AA2A0D7B10942DF91

Function 0099065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0099039A: CreateFileW.KERNELBASE(00000000,00000000,?,00990704,?,?,00000000,?,00990704,00000000,0000000C), ref: 009903B7

GetLastError.KERNEL32 ref: 0099076F
__dosmaperr.LIBCMT ref: 00990776
GetFileType.KERNELBASE(00000000), ref: 00990782
GetLastError.KERNEL32 ref: 0099078C
__dosmaperr.LIBCMT ref: 00990795
CloseHandle.KERNEL32(00000000), ref: 009907B5
CloseHandle.KERNEL32(?), ref: 009908FF
GetLastError.KERNEL32 ref: 00990931
__dosmaperr.LIBCMT ref: 00990938

Strings

H, xrefs: 009908BD

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1cab8e87ad30dfe5be61995c56fdb74ce8f905b3f22dbf59f345a9d2f5f0628b
Instruction ID: 524fbb7ff75753df1bf88541cff01c2d8c4d7216a52190167c577af2d1033f41
Opcode Fuzzy Hash: 1cab8e87ad30dfe5be61995c56fdb74ce8f905b3f22dbf59f345a9d2f5f0628b
Instruction Fuzzy Hash: 69A12732A141048FDF19EFACDC52BAE7BA4AB86320F144159F825AF392D7359C13CB91

Function 0095344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00953A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A21418,?,00952E7F,?,?,?,00000000), ref: 00953A78

Part of subcall function 00953357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00953379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0095356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0099318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009931CE
RegCloseKey.ADVAPI32(?), ref: 00993210
_wcslen.LIBCMT ref: 00993277
_wcslen.LIBCMT ref: 00993286

Strings

\Include\, xrefs: 00953527
\, xrefs: 0099328C
Software\AutoIt v3\AutoIt, xrefs: 00953560
Include, xrefs: 00993184, 009931C5

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e136a9abcc5076cf41a82f863883e2c5f12241e649467db25f49418cb4c58d0e
Instruction ID: 20f9c5f70344c48f934d26b20048e22b38d721f061f1ec4c39d6e3169539a9af
Opcode Fuzzy Hash: e136a9abcc5076cf41a82f863883e2c5f12241e649467db25f49418cb4c58d0e
Instruction Fuzzy Hash: 07718271404301AEC724DF6AEC91A6BBBE8FFD5740F40483DF9859B161EB349A4ACB51

Function 00952B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00952B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00952B9D
LoadIconW.USER32(00000063), ref: 00952BB3
LoadIconW.USER32(000000A4), ref: 00952BC5
LoadIconW.USER32(000000A2), ref: 00952BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00952BEF
RegisterClassExW.USER32(?), ref: 00952C40

Part of subcall function 00952CD4: GetSysColorBrush.USER32(0000000F), ref: 00952D07
Part of subcall function 00952CD4: RegisterClassExW.USER32(00000030), ref: 00952D31
Part of subcall function 00952CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00952D42
Part of subcall function 00952CD4: InitCommonControlsEx.COMCTL32(?), ref: 00952D5F
Part of subcall function 00952CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00952D6F
Part of subcall function 00952CD4: LoadIconW.USER32(000000A9), ref: 00952D85
Part of subcall function 00952CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00952D94

Strings

#, xrefs: 00952C16
AutoIt v3, xrefs: 00952C2F
0, xrefs: 00952C0F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 54d04b98be168cfa5d5765bdaf6ed79cc9932db1c075e81e6edcbbd377e52484
Instruction ID: eaceec00a6ea9e68bc18e6b44ca6b71149a4a0d8774948356a38ed8ed4fec225
Opcode Fuzzy Hash: 54d04b98be168cfa5d5765bdaf6ed79cc9932db1c075e81e6edcbbd377e52484
Instruction Fuzzy Hash: 6C2130B0D10354ABDB60DFD9EC89AA97FB5FB58B54F00003AE500AA660D7B10943DF90

Function 00953170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0095316A,?,?), ref: 009531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0095316A,?,?), ref: 00953204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00953227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0095316A,?,?), ref: 00953232
CreatePopupMenu.USER32 ref: 00953246
PostQuitMessage.USER32(00000000), ref: 00953267

Strings

TaskbarCreated, xrefs: 0095322D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 402a66416430e850523ea07f1ac6f054fa45a1c8a5594090d7528923fdf34687
Instruction ID: 982e39983810b49249a55613a9f1fd3d2b31396519bb96ab322ff0a463cd5044
Opcode Fuzzy Hash: 402a66416430e850523ea07f1ac6f054fa45a1c8a5594090d7528923fdf34687
Instruction Fuzzy Hash: 3F419630218600BBDF24EBBD9D4DB793B1DE745382F048535FD128A1A1CB758E4A97A1

Function 00951410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00951459
CoUninitialize.COMBASE ref: 009514F8
UnregisterHotKey.USER32(?), ref: 009516DD
DestroyWindow.USER32(?), ref: 009924B9
FreeLibrary.KERNEL32(?), ref: 0099251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0099254B

Strings

close all, xrefs: 00951454

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3d91e6d716ced3e6a9a603f3944d27c8412bd50b575f810e1b58eb031344da04
Instruction ID: fe22c3f1c70323644f88c4c80d149fa57e24821b51802cde676b2387ad0eafd1
Opcode Fuzzy Hash: 3d91e6d716ced3e6a9a603f3944d27c8412bd50b575f810e1b58eb031344da04
Instruction Fuzzy Hash: 98D1BE31702212DFCB29EF1AC899B29F7A4BF45701F1541ADE84A6B262DB31EC16CF51

Function 00952C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00952C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00952CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00951CAD,?), ref: 00952CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00951CAD,?), ref: 00952CCF

Strings

AutoIt v3, xrefs: 00952C89, 00952C8E, 00952C8F
edit, xrefs: 00952CAC

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ddc016e0254ce53bf71ed45bc2c444d52a81bdc5cea93bfbc2312498575602d4
Instruction ID: 790ecccae7432c5bd2e3419e789707573da04bc4e6b50f0ec8a3e968e121518d
Opcode Fuzzy Hash: ddc016e0254ce53bf71ed45bc2c444d52a81bdc5cea93bfbc2312498575602d4
Instruction Fuzzy Hash: 36F03AB95413D47AEB71875BAC4CE772EBED7DAF50B01003AF900AA1A0C2710C43DAB0

Function 00953B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00953B0F,SwapMouseButtons,00000004,?), ref: 00953B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00953B0F,SwapMouseButtons,00000004,?), ref: 00953B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00953B0F,SwapMouseButtons,00000004,?), ref: 00953B83

Strings

Control Panel\Mouse, xrefs: 00953B3E

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0ba3b3956eb2b5a85af3b133c1ee6ebb621e3e07c4d04e7c60f40e877bd6972d
Instruction ID: eeb031a5e5fded04b292cd482ea8dc9a4482ab655de4f82a097ae128404c4cd0
Opcode Fuzzy Hash: 0ba3b3956eb2b5a85af3b133c1ee6ebb621e3e07c4d04e7c60f40e877bd6972d
Instruction Fuzzy Hash: CA112AB5520218FFDB20CFA6DC84ABEB7BCEF05786B108959F805D7110D2319F45AB60

Function 00953923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009933A2

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00953A04

Strings

Line: , xrefs: 009933EB

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 426ed12ca5e45b924766bd72b335a65c52deddf18976a44e8f0f5597476271df
Instruction ID: 5946d901704da8f3a3183b287a5c1e8d0c7ccfa6027db74579fefdb66d32b979
Opcode Fuzzy Hash: 426ed12ca5e45b924766bd72b335a65c52deddf18976a44e8f0f5597476271df
Instruction Fuzzy Hash: CB3136B1408304ABC721EB25DC45BEFB3DCAF90751F00892AF99987191EB709A4EC7C2

Function 0096FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00970668

Part of subcall function 009732A4: RaiseException.KERNEL32(?,?,?,0097068A,?,00A21444,?,?,?,?,?,?,0097068A,00951129,00A18738,00951129), ref: 00973304

__CxxThrowException@8.LIBVCRUNTIME ref: 00970685

Strings

Unknown exception, xrefs: 00970692

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 3d9fd19a7e3b3df02f6e2edad7daec53e91a254b4217361d556e172f5932a7a4
Instruction ID: 5e0d1facd7b77326407c02a6c4e210fd5c08d873854802cf7f0f7c2ca3cd4eeb
Opcode Fuzzy Hash: 3d9fd19a7e3b3df02f6e2edad7daec53e91a254b4217361d556e172f5932a7a4
Instruction Fuzzy Hash: 80F0C23690020DB7CB00B665E866E9E7B6C6EC0350B60C671B82C965D2EF71EA65C980

Function 009510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00951BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00951BF4
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00951BFC
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00951C07
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00951C12
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00951C1A
Part of subcall function 00951BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00951C22

Part of subcall function 00951B4A: RegisterWindowMessageW.USER32(00000004,?,009512C4), ref: 00951BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0095136A
OleInitialize.OLE32 ref: 00951388
CloseHandle.KERNEL32(00000000,00000000), ref: 009924AB

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2494297c513fef61a35a0cda17d28cd49d7d6011e7538b2f4ba65bec573b4815
Instruction ID: cdea7623b3aa0a2868894d2a82b76fb1e617c4297c4826ecd75ea8d336f3e1f4
Opcode Fuzzy Hash: 2494297c513fef61a35a0cda17d28cd49d7d6011e7538b2f4ba65bec573b4815
Instruction Fuzzy Hash: A971CCB49113448FC7A4EFBEAD956753AE1FBA834475482BAD84AC7362EB344407CF44

Function 009BC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00953923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00953A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009BC259
KillTimer.USER32(?,00000001,?,?), ref: 009BC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009BC270

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 0b77c408cfc658c4f8da34cafe0425a9b853108dc773fd7c045a684d03054c35
Instruction ID: 5b9163a522da32d8be82bdef1128c4420f6fc348170f645cc2a206a1110c2749
Opcode Fuzzy Hash: 0b77c408cfc658c4f8da34cafe0425a9b853108dc773fd7c045a684d03054c35
Instruction Fuzzy Hash: 2D31D5B0904384AFEB32CF648995BE7BBEC9F06314F00049ED5EAA7241C374AA85CB51

Function 009886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,009885CC,?,00A18CC8,0000000C), ref: 00988704
GetLastError.KERNEL32(?,009885CC,?,00A18CC8,0000000C), ref: 0098870E
__dosmaperr.LIBCMT ref: 00988739

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 648bec51828edc211ce1738bb2cfebd8fc3a7840fed77488cd00be9fc4fc63e9
Instruction ID: 1b5efde7887a0872002090293264898dbd198542728d1f624d3692fb68b533c9
Opcode Fuzzy Hash: 648bec51828edc211ce1738bb2cfebd8fc3a7840fed77488cd00be9fc4fc63e9
Instruction Fuzzy Hash: 69012B3760566056D634B2386849B7F675D4BC1774F79011AF8149B3D3EEA5DC828360

Function 0095DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0095DB7B
DispatchMessageW.USER32(?), ref: 0095DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0095DB9F
Sleep.KERNELBASE(0000000A), ref: 0095DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 009A1CC9

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: a283937b0f819edbbc8b694e32830c170d70f963e04ed8b0b9527a96ef807c48
Instruction ID: f11091a966064caeb53e7f63c968fafc3148075354da2cdf29a83433db9dcc29
Opcode Fuzzy Hash: a283937b0f819edbbc8b694e32830c170d70f963e04ed8b0b9527a96ef807c48
Instruction Fuzzy Hash: 46F05E706193809BE730CBA18C89FAA73BDEB85311F104928EA8AC70C0DB30A4899B15

Function 00961310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009617F6

Strings

CALL, xrefs: 009617C6

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 9e28822477dbc57cd48db685fd7504bb7cab6cc123a6bb5af82b2b9f0f9eca31
Instruction ID: 509134047eb5104b2fe1c42df8cc64387e5f7a0beb279f8459127457208c4c50
Opcode Fuzzy Hash: 9e28822477dbc57cd48db685fd7504bb7cab6cc123a6bb5af82b2b9f0f9eca31
Instruction Fuzzy Hash: 88227B706083419FC714DF14C490B2ABBF5BF8A314F18896DF4968B3A2DB75E945CB92

Function 00952DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00992C8C

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

Part of subcall function 00952DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00952DC4

Strings

X, xrefs: 00992C5A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 37e4e896e054b3417f088ff7fc61461f4b405996ccf87334d8e14ea06d3728f3
Instruction ID: c6489b65292763b624ee3c148cdc7944533b71276c5fcdf8136d308fb1900ee6
Opcode Fuzzy Hash: 37e4e896e054b3417f088ff7fc61461f4b405996ccf87334d8e14ea06d3728f3
Instruction Fuzzy Hash: 4921C671A102589FDF41DF95C8457EE7BFCAF89315F008059E805EB241EBB4598DCB61

Function 00953837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00953908

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c2c46671b59e4d83e4008ea3788870f0905563c667c567920fcd72cc6f01c52c
Instruction ID: 29841ccc00bb7920ce3e91d9ef1c54551f59bac100fed558020638f26e24d3f9
Opcode Fuzzy Hash: c2c46671b59e4d83e4008ea3788870f0905563c667c567920fcd72cc6f01c52c
Instruction Fuzzy Hash: 0731D2B0504300CFD761DF69D885BA7BBE8FF49749F00092EFA9987250E771AA49CB52

Function 0096F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0096F661

Part of subcall function 0095D730: GetInputState.USER32 ref: 0095D807

Sleep.KERNEL32(00000000), ref: 009AF2DE

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 58ebcab8fd59bfac8b312ebda7d37e1f4e0daac40e6e125dedadda71e741d78c
Instruction ID: 8b576405fbb37d492978fcc0fb5ed0be88d74ef9ed42aaa3008902f4e6430ad0
Opcode Fuzzy Hash: 58ebcab8fd59bfac8b312ebda7d37e1f4e0daac40e6e125dedadda71e741d78c
Instruction Fuzzy Hash: D6F082712442059FD314EF75E455B5AB7E4EF8A761F000029FC59C7260DB70AC05CB90

Function 00954ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00954E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E9C
Part of subcall function 00954E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00954EAE
Part of subcall function 00954E90: FreeLibrary.KERNEL32(00000000,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954EFD

Part of subcall function 00954E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E62
Part of subcall function 00954E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00954E74
Part of subcall function 00954E59: FreeLibrary.KERNEL32(00000000,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E87

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7cbb82165614d4f88471567d234be4678ba16c097c87ca04f072fe101d4821f5
Instruction ID: cec00cdb0c6059665632829701678ef4a75a4db500e18d0fe5dd3ec86fe0a3a5
Opcode Fuzzy Hash: 7cbb82165614d4f88471567d234be4678ba16c097c87ca04f072fe101d4821f5
Instruction Fuzzy Hash: 2D11C831610205ABCF14EF69DC12FAD77A59F80716F10841DFD42A61C1EE749E499B50

Function 00988402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00988440

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b3a745b4aa7d007f240602832778dde61aeb300624e2bee5c63df0a9c6016350
Instruction ID: bdbcb5a168702e2f6f1caedaa655859b774169b27f7fb4ac39b73cc3dab322ea
Opcode Fuzzy Hash: b3a745b4aa7d007f240602832778dde61aeb300624e2bee5c63df0a9c6016350
Instruction Fuzzy Hash: 7911187690410AAFCF15DF58E941A9B7BF9EF48314F104069FC08AB312DB31DA11CBA5

Function 00985000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00984C7D: RtlAllocateHeap.NTDLL(00000008,00951129,00000000,?,00982E29,00000001,00000364,?,?,?,0097F2DE,00983863,00A21444,?,0096FDF5,?), ref: 00984CBE

_free.LIBCMT ref: 0098506C

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 731eddd7188424f12ad7c5b6c61e68427b2e9469851c0707bf9d4b1bc986d368
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 530149722047056BE3319F69D881A9AFBECFBC9370F26051DE188933C0EA30A805C7B4

Function 0097E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 2b40e42487ae2c3c335652b265098b95f227f1fda699197bad0acf73746f4390
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: B3F02833511A14E6C7313A698C05B5B339C9FD6330F108B55F829972D2DB74E80187A5

Function 00984C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00951129,00000000,?,00982E29,00000001,00000364,?,?,?,0097F2DE,00983863,00A21444,?,0096FDF5,?), ref: 00984CBE

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 88031b0dca34e4b21cd8c81d0855057b1b35e1e89ad2e39f59675cf59b31bc35
Instruction ID: 80b13e8077e446588a42d131eb1b3000c9abbf0a9ad3083be5efc8e043a1b9fa
Opcode Fuzzy Hash: 88031b0dca34e4b21cd8c81d0855057b1b35e1e89ad2e39f59675cf59b31bc35
Instruction Fuzzy Hash: 94F0E93264622667DB217F629C05FDA778CBF817B0B148125F899AA381CB34DC0147E0

Function 00983820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d468137287497101d22d3a566c30db075eea29310d25d982af647099c2d79be7
Instruction ID: 918ad67fc3ad68ce68539ac850b86856fbd65af41cdf6a8e09c5b816a13a26ed
Opcode Fuzzy Hash: d468137287497101d22d3a566c30db075eea29310d25d982af647099c2d79be7
Instruction Fuzzy Hash: E0E0653220522457D63137669C06B9A365DAF82FB0F15C125BC59A6A91DB21DD0283E1

Function 00954F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954F6D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 43651d77929d6f0c1890b48c4b769fdfdb86ba4419d55c83e7882a399527fd89
Instruction ID: 40ad9382c4223a2c556190cf052a8c3338d63c9c0cc614d2e20ca7a1fa07cd39
Opcode Fuzzy Hash: 43651d77929d6f0c1890b48c4b769fdfdb86ba4419d55c83e7882a399527fd89
Instruction Fuzzy Hash: 37F03071105751CFDB74DF6AD490852B7F4AF1431E3208D7EE9DA86511C7319888DF50

Function 009E2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009E2A66

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: f91c66f7122fd509a1691b15ae92cf8a4b8b115bc78da06ccff8a85483f986d1
Instruction ID: 55d127619cfe7069178969426ce83268a1730ebdc94b4d7ae143c7973db0588c
Opcode Fuzzy Hash: f91c66f7122fd509a1691b15ae92cf8a4b8b115bc78da06ccff8a85483f986d1
Instruction Fuzzy Hash: B9E02672754256AAC710EB31EC80AFE734CEF903A4700483AFC16C2180DB34DD9192E0

Function 009530F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0095314E

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ab8fdf04bd3f49a74370e7db545a6064729d7852413afa32bb888d1e76aedd53
Instruction ID: 78c2c58739ae7a30c9dd0b12427802e702fdcba48803ee8dadb0d65c6f98dc7f
Opcode Fuzzy Hash: ab8fdf04bd3f49a74370e7db545a6064729d7852413afa32bb888d1e76aedd53
Instruction Fuzzy Hash: 34F037709143589FEBA2DB64DC457E57BBCA701708F0000F5A5889A191D7745B8ACF55

Function 00952DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00952DC4

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8b6e40bac8337941b5dfcc50253648cbeb2dcb26fba2bbe4b5ae7940bd836c83
Instruction ID: b3a83e98dec6beceed391bf00142c2a094a741145140c57459d1daa0673c350b
Opcode Fuzzy Hash: 8b6e40bac8337941b5dfcc50253648cbeb2dcb26fba2bbe4b5ae7940bd836c83
Instruction Fuzzy Hash: 01E0CD726041245BCB10D2589C06FEA77DDDFC8790F040071FD09D7248DA70ED848650

Function 00952B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00953837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00953908

Part of subcall function 0095D730: GetInputState.USER32 ref: 0095D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00952B6B

Part of subcall function 009530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0095314E

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: d7a305d60a199e69f1406928f733ba499d149a12f5e38ce4196ff5958b6365c8
Instruction ID: 67f46154b1b685535f8b2dd3cf348ed24e76e7f41f69a08de27028b09f86c7b3
Opcode Fuzzy Hash: d7a305d60a199e69f1406928f733ba499d149a12f5e38ce4196ff5958b6365c8
Instruction Fuzzy Hash: 6AE07D6230434403C608FB77AC527BDB7599BE2393F40543EF946831A3CF20494E8311

Function 0099039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00990704,?,?,00000000,?,00990704,00000000,0000000C), ref: 009903B7

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fb2236fb9665269b6859f7ab37be005b80865ca1902ee68ec32d4906f593f1e4
Instruction ID: ba1ef08790bd0060096af43c8d920847fd2925fe94b7b7e5554820ef46032c9f
Opcode Fuzzy Hash: fb2236fb9665269b6859f7ab37be005b80865ca1902ee68ec32d4906f593f1e4
Instruction Fuzzy Hash: E4D06C3205414DBBDF028F84DD46EDA3FAAFB48714F014000BE5856020C732E822AB91

Function 00951CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00951CBC

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 8791ef18c0397a8d8084ba7bf1cbd5f55fb7cf0da869af108643816b9eb4f9eb
Instruction ID: b62e207ba35bb17e96210265281595ad50202f7cd172cd28c2560516a3169b5a
Opcode Fuzzy Hash: 8791ef18c0397a8d8084ba7bf1cbd5f55fb7cf0da869af108643816b9eb4f9eb
Instruction Fuzzy Hash: 39C04C35284344AAE224C7C4AD4AF207755A358B04F048011F649595E387A11812A650

Non-executed Functions

Function 009E9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 009E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009E96C9
SendMessageW.USER32 ref: 009E96F2
GetKeyState.USER32(00000011), ref: 009E978B
GetKeyState.USER32(00000009), ref: 009E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009E97AE
GetKeyState.USER32(00000010), ref: 009E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009E97E9
SendMessageW.USER32 ref: 009E9810
SendMessageW.USER32(?,00001030,?,009E7E95), ref: 009E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009E9941
SetCapture.USER32(?), ref: 009E994A
ClientToScreen.USER32(?,?), ref: 009E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009E99D6
ReleaseCapture.USER32 ref: 009E99E1
GetCursorPos.USER32(?), ref: 009E9A19
ScreenToClient.USER32(?,?), ref: 009E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 009E9A80
SendMessageW.USER32 ref: 009E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 009E9AEB
SendMessageW.USER32 ref: 009E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 009E9B4A
GetCursorPos.USER32(?), ref: 009E9B68
ScreenToClient.USER32(?,?), ref: 009E9B75
GetParent.USER32(?), ref: 009E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 009E9BFA
SendMessageW.USER32 ref: 009E9C2B
ClientToScreen.USER32(?,?), ref: 009E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 009E9CDE
SendMessageW.USER32 ref: 009E9D01
ClientToScreen.USER32(?,?), ref: 009E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009E9D82

Part of subcall function 00969944: GetWindowLongW.USER32(?,000000EB), ref: 00969952

GetWindowLongW.USER32(?,000000F0), ref: 009E9E05

Strings

@GUI_DRAGID, xrefs: 009E997D
F, xrefs: 009E9D07

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 6e45c378897108d8d14638bef7e2f08c98827207cfffa51234ef2b6d73c4595f
Instruction ID: 72b4a4d6525a9b64722fe22931647ae119c1b4cb4af72c37543107c7d09d142b
Opcode Fuzzy Hash: 6e45c378897108d8d14638bef7e2f08c98827207cfffa51234ef2b6d73c4595f
Instruction Fuzzy Hash: 7A429070108281AFD722CF6ACC84BAABBF9FF49714F14061AF999872A1D731DC55DB41

Function 009E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 009E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 009E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 009E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 009E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 009E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 009E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009E4A7E
IsMenu.USER32(?), ref: 009E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E4B20
GetWindowLongW.USER32(?,000000F0), ref: 009E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 009E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 009E4C82
wsprintfW.USER32 ref: 009E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 009E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 009E4D5A

Strings

%d/%02d/%02d, xrefs: 009E4CA8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 8d4ffec615c82e6c745a540640d3ba69afac466ad18e5981b92f1bc8548f73a8
Instruction ID: 57f4984f47c6302e78b4b507b1ccf0131fa420dfe9db59eb7ec42ed5c1bc523b
Opcode Fuzzy Hash: 8d4ffec615c82e6c745a540640d3ba69afac466ad18e5981b92f1bc8548f73a8
Instruction Fuzzy Hash: 6E12F071900284ABEB268F26CC49FAE7BF8EF85B10F104529F915EB2E1DB749D41CB50

Function 0096F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0096F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009AF474
IsIconic.USER32(00000000), ref: 009AF47D
ShowWindow.USER32(00000000,00000009), ref: 009AF48A
SetForegroundWindow.USER32(00000000), ref: 009AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009AF4AA
GetCurrentThreadId.KERNEL32 ref: 009AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 009AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 009AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 009AF4DE
SetForegroundWindow.USER32(00000000), ref: 009AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF4F6
keybd_event.USER32(00000012,00000000), ref: 009AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF50B
keybd_event.USER32(00000012,00000000), ref: 009AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF519
keybd_event.USER32(00000012,00000000), ref: 009AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 009AF528
keybd_event.USER32(00000012,00000000), ref: 009AF52D
SetForegroundWindow.USER32(00000000), ref: 009AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 009AF557

Strings

Shell_TrayWnd, xrefs: 009AF46F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 95e19789217cc71a65f4be379ba72dc68c411a4d35dc70a55754888f8eccaab3
Instruction ID: 0cc05e871f74d3dd1b15ef92ec2fcda21953c31757d74ba6b6a3612a0809833e
Opcode Fuzzy Hash: 95e19789217cc71a65f4be379ba72dc68c411a4d35dc70a55754888f8eccaab3
Instruction Fuzzy Hash: D131A6B1A54358BFEB206BF55C8AFBF7E6DEB45B50F100425FA00EA1D1C6B15D01BAA0

Function 009B1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B170D
Part of subcall function 009B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B173A
Part of subcall function 009B16C3: GetLastError.KERNEL32 ref: 009B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 009B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009B12A8
CloseHandle.KERNEL32(?), ref: 009B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009B12D1
GetProcessWindowStation.USER32 ref: 009B12EA
SetProcessWindowStation.USER32(00000000), ref: 009B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009B1310

Part of subcall function 009B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B11FC), ref: 009B10D4
Part of subcall function 009B10BF: CloseHandle.KERNEL32(?,?,009B11FC), ref: 009B10E9

Strings

winsta0, xrefs: 009B12CC
default, xrefs: 009B130B
, xrefs: 009B125A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 89540d0c169e6ddc3d171c22499f33659244d898590f57edaafe803b51da81f6
Instruction ID: 2e474adf83358a17ada1c8813b841d1bb91020f26dcd78e944306aacd96e5503
Opcode Fuzzy Hash: 89540d0c169e6ddc3d171c22499f33659244d898590f57edaafe803b51da81f6
Instruction Fuzzy Hash: 5481ACB1900249AFDF219FA4DE99FEE7BBEEF44710F144129F910A61A0CB318D45CB24

Function 009B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B1114
Part of subcall function 009B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1120
Part of subcall function 009B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B112F
Part of subcall function 009B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1136
Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009B0C00
GetLengthSid.ADVAPI32(?), ref: 009B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 009B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009B0C6D
GetLengthSid.ADVAPI32(?), ref: 009B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009B0C8C
HeapAlloc.KERNEL32(00000000), ref: 009B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009B0CB4
CopySid.ADVAPI32(00000000), ref: 009B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0D45
HeapFree.KERNEL32(00000000), ref: 009B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0D55
HeapFree.KERNEL32(00000000), ref: 009B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0D65
HeapFree.KERNEL32(00000000), ref: 009B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 009B0D78
HeapFree.KERNEL32(00000000), ref: 009B0D7F

Part of subcall function 009B1193: GetProcessHeap.KERNEL32(00000008,009B0BB1,?,00000000,?,009B0BB1,?), ref: 009B11A1
Part of subcall function 009B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009B0BB1,?), ref: 009B11A8
Part of subcall function 009B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009B0BB1,?), ref: 009B11B7

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9e0111c89a7e134751b44924d322315abc0111f6a3596f5897eee86e5b26c242
Instruction ID: f02c9135fe8d42c278483c22118c26a37152b8a3e1634ab30beed5afeba5fbf6
Opcode Fuzzy Hash: 9e0111c89a7e134751b44924d322315abc0111f6a3596f5897eee86e5b26c242
Instruction Fuzzy Hash: 73716CB290420AABDF10DFA4DD85BEFBBBCBF84320F044515E955AB191D771AE06CB60

Function 009CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009ECC08), ref: 009CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 009CEB37
GetClipboardData.USER32(0000000D), ref: 009CEB43
CloseClipboard.USER32 ref: 009CEB4F
GlobalLock.KERNEL32(00000000), ref: 009CEB87
CloseClipboard.USER32 ref: 009CEB91
GlobalUnlock.KERNEL32(00000000), ref: 009CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 009CEBC9
GetClipboardData.USER32(00000001), ref: 009CEBD1
GlobalLock.KERNEL32(00000000), ref: 009CEBE2
GlobalUnlock.KERNEL32(00000000), ref: 009CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 009CEC38
GetClipboardData.USER32(0000000F), ref: 009CEC44
GlobalLock.KERNEL32(00000000), ref: 009CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 009CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009CECD2
GlobalUnlock.KERNEL32(00000000), ref: 009CECF3
CountClipboardFormats.USER32 ref: 009CED14
CloseClipboard.USER32 ref: 009CED59

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 23d481178783c60e488a74d305204402290cad8eed681be6cd0b5345a3b636eb
Instruction ID: a70bcf351060bbd48ea1c9deff6cfe8c31d2d55bb8451efd3b53d391e10d2560
Opcode Fuzzy Hash: 23d481178783c60e488a74d305204402290cad8eed681be6cd0b5345a3b636eb
Instruction Fuzzy Hash: A161BC746083429FD300EF25D885F3A7BA8AF84714F14451DF9978B2A2DB31DD0ADB62

Function 009C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009C69BE
FindClose.KERNEL32(00000000), ref: 009C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009C6A75

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 009C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 009C6ADF

Strings

%02d, xrefs: 009C6C00, 009C6C0A, 009C6C5A, 009C6CAA, 009C6CFA, 009C6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 009C6B32
%03d, xrefs: 009C6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 009C6B6A
%4d, xrefs: 009C6BB1

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 0fc1e971ea131097c736ed1a1c194aba861519b3520385f140287cb4a2a133cf
Instruction ID: c7b65033459ee4ecc8dfd225496478784be39d65a805c478d166b71bee41abb8
Opcode Fuzzy Hash: 0fc1e971ea131097c736ed1a1c194aba861519b3520385f140287cb4a2a133cf
Instruction Fuzzy Hash: B8D161B1908300AFC710EBA5D891FABB7ECAF88705F44491DF989C7191EB34DA48C762

Function 009C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009C9663
GetFileAttributesW.KERNEL32(?), ref: 009C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 009C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 009C96D3
FindClose.KERNEL32(00000000), ref: 009C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 009C974A
SetCurrentDirectoryW.KERNEL32(00A16B7C), ref: 009C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 009C9772
FindClose.KERNEL32(00000000), ref: 009C977F
FindClose.KERNEL32(00000000), ref: 009C978F

Strings

*.*, xrefs: 009C96F5

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 147733c47061887bdf20600e17f322ed63412626f1a70cc0187968c875cafb1b
Instruction ID: 5f174c7dbad670490d4b972d117ed391b743d6ea27a62911b949bd6aa14eb9da
Opcode Fuzzy Hash: 147733c47061887bdf20600e17f322ed63412626f1a70cc0187968c875cafb1b
Instruction Fuzzy Hash: 5531E072945249AADF10AFB4DC4DFDE37ACAF49320F104459F964E21A0DB74DE818A25

Function 009C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 009C9819
FindClose.KERNEL32(00000000), ref: 009C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 009C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 009C9890
SetCurrentDirectoryW.KERNEL32(00A16B7C), ref: 009C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009C98B8
FindClose.KERNEL32(00000000), ref: 009C98C5
FindClose.KERNEL32(00000000), ref: 009C98D5

Part of subcall function 009BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009BDB00

Strings

*.*, xrefs: 009C983B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9aff9fffad979d6f4f4d61a79695cb4f4d9230fbbbda2a7ab1141a47b09c54be
Instruction ID: 147facd56bb74cfeaef5f8fb375bfb2e649c081b6a863f398750573a8bd1275e
Opcode Fuzzy Hash: 9aff9fffad979d6f4f4d61a79695cb4f4d9230fbbbda2a7ab1141a47b09c54be
Instruction Fuzzy Hash: B7310132944259BEDB10AFB4EC4CFDE37ACAF46320F108459E8A4E31D0DB71DE858A21

Function 009DBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 009DBFA9
RegCloseKey.ADVAPI32(00000000), ref: 009DBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009DC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009DC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009DC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009DC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 009DC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009DC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009DC382
RegCloseKey.ADVAPI32(00000000), ref: 009DC38F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: e716e1819410e47cd3e84201c1d362e48fb735ad9d7dfa436232d1f3aa68b50c
Instruction ID: d64cf4323a9f3dce6af5a76a57289d8ae81a78c3c2415358d08b584ef3f2c80d
Opcode Fuzzy Hash: e716e1819410e47cd3e84201c1d362e48fb735ad9d7dfa436232d1f3aa68b50c
Instruction Fuzzy Hash: 1A024DB16042019FD714DF28C895E2ABBE5AF89314F18C49DF849DB3A2D731ED46CB51

Function 009C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 009C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8395

Strings

*.*, xrefs: 009C839B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: a046f13abf6bf88277dda7f82f765acfd683cc4229699d818c3a88fac26bb050
Instruction ID: 1d7a28c5c6c8f1f2b383f1e0d7c37b6fbdb1ce95ce48e8c563c6085b91b451a4
Opcode Fuzzy Hash: a046f13abf6bf88277dda7f82f765acfd683cc4229699d818c3a88fac26bb050
Instruction Fuzzy Hash: F56139B25083459FCB10DF64C844AAFB3E8FF89311F04891EF99997251EB35E949CB92

Function 009BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

Part of subcall function 009BE199: GetFileAttributesW.KERNEL32(?,009BCF95), ref: 009BE19A

FindFirstFileW.KERNEL32(?,?), ref: 009BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 009BD1DD
MoveFileW.KERNEL32(?,?), ref: 009BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 009BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 009BD237

Part of subcall function 009BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,009BD21C,?,?), ref: 009BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 009BD253
FindClose.KERNEL32(00000000), ref: 009BD264

Strings

\*.*, xrefs: 009BD0CD, 009BD0D6, 009BD0EB

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: ccdee2343fd0b105f09566caf86001103ddfa6d57281a1d1b6d365ee31bb77ba
Instruction ID: d6f39ced702236a86c20df656747043e5444ab6cf18fdccc9ec92d1383032171
Opcode Fuzzy Hash: ccdee2343fd0b105f09566caf86001103ddfa6d57281a1d1b6d365ee31bb77ba
Instruction Fuzzy Hash: 9D619E7180614DAFCF05EBE1DA92AEDB7B9AF94311F204165E81177192EB30AF09DB60

Function 009CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009CED91
EmptyClipboard.USER32 ref: 009CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 009CEDAC
CloseClipboard.USER32 ref: 009CEEA3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 323dba27faf97af8917cc160a626c455f7d34283fc5a77d532940fec541a1b2c
Instruction ID: 3b75ab2ffe66f1a330cd5cab34138450734bbb8263909b6970158e0770b04549
Opcode Fuzzy Hash: 323dba27faf97af8917cc160a626c455f7d34283fc5a77d532940fec541a1b2c
Instruction Fuzzy Hash: 8441CC75A08251AFE320DF15D888F1ABBA5EF44358F04C09DE8668F6A2C735ED42CB91

Function 009BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B170D
Part of subcall function 009B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B173A
Part of subcall function 009B16C3: GetLastError.KERNEL32 ref: 009B174A

ExitWindowsEx.USER32(?,00000000), ref: 009BE932

Strings

, xrefs: 009BE920
SeShutdownPrivilege, xrefs: 009BE902
, xrefs: 009BE95C
@, xrefs: 009BE925

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 00eabdfcef31fcb1de554848ff617360f4e26a690dc7e46d870333e829c4c6ae
Instruction ID: 5d51dbde85fa92ace37b00efadeb656c1f52f0be9f1b5d2d5a6ac5da7e85cc2c
Opcode Fuzzy Hash: 00eabdfcef31fcb1de554848ff617360f4e26a690dc7e46d870333e829c4c6ae
Instruction Fuzzy Hash: 55012673624310AFEB1826B49E86BFB729CA7047A0F140822F813E21D1D5A45C489190

Function 009D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009D1276
WSAGetLastError.WSOCK32 ref: 009D1283
bind.WSOCK32(00000000,?,00000010), ref: 009D12BA
WSAGetLastError.WSOCK32 ref: 009D12C5
closesocket.WSOCK32(00000000), ref: 009D12F4
listen.WSOCK32(00000000,00000005), ref: 009D1303
WSAGetLastError.WSOCK32 ref: 009D130D
closesocket.WSOCK32(00000000), ref: 009D133C

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 5b4dcd70a48c4edefed38cdc7030cf5f2c620ba1d5d7f54c37febe38528c203c
Instruction ID: 4255446aba42538867afd5dba26837085b2092c82c8d5ba1724151a163084530
Opcode Fuzzy Hash: 5b4dcd70a48c4edefed38cdc7030cf5f2c620ba1d5d7f54c37febe38528c203c
Instruction Fuzzy Hash: E241B171600240AFD714DF64C5C8B29BBE5AF86318F18C089E9668F392C771ED86CBE1

Function 009BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

Part of subcall function 009BE199: GetFileAttributesW.KERNEL32(?,009BCF95), ref: 009BE19A

FindFirstFileW.KERNEL32(?,?), ref: 009BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 009BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 009BD481
FindClose.KERNEL32(00000000), ref: 009BD498
FindClose.KERNEL32(00000000), ref: 009BD4A1

Strings

\*.*, xrefs: 009BD3F2

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 3df858e5543ea6942c86e7ee2e966fd7758982922d29eb5b5153b3f88076e46f
Instruction ID: 8844b239f08c73649c8ca344f8d21123d5fbc399e04f64a5774b88cc8b496f06
Opcode Fuzzy Hash: 3df858e5543ea6942c86e7ee2e966fd7758982922d29eb5b5153b3f88076e46f
Instruction Fuzzy Hash: 60315C7101D3859FC200EF65D9929EFB7E8AE91351F444E2DF8D1931A1EB30AA0D9762

Function 0098E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0098E645

Strings

1#QNAN, xrefs: 0098F84B
1#IND, xrefs: 0098F83D
1#INF, xrefs: 0098F852
1#SNAN, xrefs: 0098F844

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: bea32cd20fb5865937895e9030f96fc09b65d1c8f68c387bfd426bef77678aa6
Instruction ID: cc7a2a8a13cfa456ee9f9695ded0cc1d61732fe537376a3e69a2532a81c980cb
Opcode Fuzzy Hash: bea32cd20fb5865937895e9030f96fc09b65d1c8f68c387bfd426bef77678aa6
Instruction Fuzzy Hash: 5BC23B72E086298FDB25DE28DD547EAB7B9EB84304F1445EAD44DE7340E778AE818F40

Function 009C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009C64DC
CoInitialize.OLE32(00000000), ref: 009C6639
CoCreateInstance.OLE32(009EFCF8,00000000,00000001,009EFB68,?), ref: 009C6650
CoUninitialize.OLE32 ref: 009C68D4

Strings

.lnk, xrefs: 009C64BA, 009C6524, 009C65E0

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d48fd334a940737414fe033d6e44a050c5f855ed22d20f8bf67b99eb6e6783ee
Instruction ID: 912fc6fbb8c19138c7c333a490fe625e7bdffe7d3f398326ebcf08b6a1d4e132
Opcode Fuzzy Hash: d48fd334a940737414fe033d6e44a050c5f855ed22d20f8bf67b99eb6e6783ee
Instruction Fuzzy Hash: 95D14871508241AFD304EF25C881E6BB7E9FFD4705F50496DF9958B291EB30EA09CB92

Function 009D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009D22E8

Part of subcall function 009CE4EC: GetWindowRect.USER32(?,?), ref: 009CE504

GetDesktopWindow.USER32 ref: 009D2312
GetWindowRect.USER32(00000000), ref: 009D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 009D2355
GetCursorPos.USER32(?), ref: 009D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009D23DF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 5684d4b2c732b0327db26a40749949ebe72868079138498aff42bb6ae0af8fbf
Instruction ID: 2bcf67fae23403ebd6dbae60d501b4332b8a27dacfd1d14b9aeb5b772ab78d96
Opcode Fuzzy Hash: 5684d4b2c732b0327db26a40749949ebe72868079138498aff42bb6ae0af8fbf
Instruction Fuzzy Hash: C631CD72548355ABCB20DF14C849B9BBBADFF84710F00491AF9959B291DB34EA09CB92

Function 009C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 009C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 009C9C8B

Part of subcall function 009C3874: GetInputState.USER32 ref: 009C38CB
Part of subcall function 009C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 009C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 009C9C75

Strings

*.*, xrefs: 009C9B5D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 718beafe2bf5913692ac0d258c3d7873f9d89c4e4d375dee3b381bdc898d59bb
Instruction ID: b00425c404ec026174181606d4b95de003f96ff4ebd5a80c462705f04e7dde6d
Opcode Fuzzy Hash: 718beafe2bf5913692ac0d258c3d7873f9d89c4e4d375dee3b381bdc898d59bb
Instruction Fuzzy Hash: 0E419E71D4420AAFCF14DF64C889FEEBBB8EF55310F208059E849A2191EB309E84CF61

Function 0096997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00969A4E
GetSysColor.USER32(0000000F), ref: 00969B23
SetBkColor.GDI32(?,00000000), ref: 00969B36

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: b4336a2a6dc17a8d0df9bc48fa71005fc21b33414989a225f3b4b90dff86e812
Instruction ID: a7459af0b61b75748f7f263885ab4688b4468d23e0897b2a80179a354668e7e9
Opcode Fuzzy Hash: b4336a2a6dc17a8d0df9bc48fa71005fc21b33414989a225f3b4b90dff86e812
Instruction Fuzzy Hash: 89A12870208444BEE725EBBD8C9AF7B76DDDB83340F15051AF502CA691CA399D02D6B2

Function 009D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009D307A
Part of subcall function 009D304E: _wcslen.LIBCMT ref: 009D309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009D185D
WSAGetLastError.WSOCK32 ref: 009D1884
bind.WSOCK32(00000000,?,00000010), ref: 009D18DB
WSAGetLastError.WSOCK32 ref: 009D18E6
closesocket.WSOCK32(00000000), ref: 009D1915

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: de5d105779896ddf39beb61c78fabe729062f7d74db4289bd8da6b64d1318a9e
Instruction ID: 9ef85ad87550ff03a45bffeb2e2979307f7f29571990e2ad59b72166c8ad2279
Opcode Fuzzy Hash: de5d105779896ddf39beb61c78fabe729062f7d74db4289bd8da6b64d1318a9e
Instruction Fuzzy Hash: 35519171A40200AFDB10EF24D886F2AB7E5AB84718F48C459FD559F393DB71AD42CBA1

Function 009E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009E1CC0
IsWindowEnabled.USER32 ref: 009E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 009E1CDB
IsIconic.USER32 ref: 009E1CE9
IsZoomed.USER32 ref: 009E1CF7

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0a5c9ec3bd5473b7bbca4ec79da740d4ac6099aebd3b2fe4f7000b34caf4c463
Instruction ID: 20e36692780ed953ae81b3949e9e18ca6acf144cf4a8d38662af22df2ea2f9eb
Opcode Fuzzy Hash: 0a5c9ec3bd5473b7bbca4ec79da740d4ac6099aebd3b2fe4f7000b34caf4c463
Instruction Fuzzy Hash: F721A6717442915FD7228F1BC884B6A7BE9FF85315B298468E885CB391C771EC42CB90

Function 00958060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009583FA
VUUU, xrefs: 00995DF0
VUUU, xrefs: 009583E8
ERCP, xrefs: 0095813C
VUUU, xrefs: 0095843C

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 7b577ee7e8c8c42f95a9423097be49e3eab655f166d7a616d24f296b95e034e2
Instruction ID: b64c5c7ff57943835b9f5f0c26848ed01c23d0654c1accc01a42ee16d214ee9d
Opcode Fuzzy Hash: 7b577ee7e8c8c42f95a9423097be49e3eab655f166d7a616d24f296b95e034e2
Instruction Fuzzy Hash: C4A29B70E0021ACBDF24CF59C8807AEB7B5BF54311F2585AAEC55AB284EB349D85CF90

Function 009BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 009BAAAC
SetKeyboardState.USER32(00000080), ref: 009BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 009BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 009BAB88

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b8f75af111fdd4b0112a5025d41ea727013f36dadf3c8b63f59ee68701ddd406
Instruction ID: 18ce59ea2e9164c9878e2197ed888c2360f9f92b56afaf9b959183bc4ad6fc1a
Opcode Fuzzy Hash: b8f75af111fdd4b0112a5025d41ea727013f36dadf3c8b63f59ee68701ddd406
Instruction Fuzzy Hash: EE314870A50268AEFF34CB64CD05BFA7BAAAB44330F04421BF1E1961D0D3788D85D762

Function 0098BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0098BB7F

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

GetTimeZoneInformation.KERNEL32 ref: 0098BB91
WideCharToMultiByte.KERNEL32(00000000,?,00A2121C,000000FF,?,0000003F,?,?), ref: 0098BC09
WideCharToMultiByte.KERNEL32(00000000,?,00A21270,000000FF,?,0000003F,?,?,?,00A2121C,000000FF,?,0000003F,?,?), ref: 0098BC36

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 54913cd89510bcc8abab919a87ce85d86a35185c3482ca11933e5786a870539f
Instruction ID: e13667d9a53016d8127d023f5952c7d9cf8cfb0cd8fd7f2a470e405873e2cf3d
Opcode Fuzzy Hash: 54913cd89510bcc8abab919a87ce85d86a35185c3482ca11933e5786a870539f
Instruction Fuzzy Hash: 5A317E71904245EFCB11EFADDC80979BBB8BF65750718467AE060DB3A1D7309E42DB50

Function 009CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 009CCE89
GetLastError.KERNEL32(?,00000000), ref: 009CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 009CCEFE

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: af38dda3765adca9659e6c304e8269b19184974852c76f37cfb291d977baba57
Instruction ID: 1a61049f0f38d2b5ad5a102883d7dbce31a091332b940122c8932bbc188f2465
Opcode Fuzzy Hash: af38dda3765adca9659e6c304e8269b19184974852c76f37cfb291d977baba57
Instruction Fuzzy Hash: A621EDB1900305ABDB20CF65C988FAA7BFCEB41344F10881EE64AD2151E734EE059B51

Function 009B8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009B82AA

Strings

|, xrefs: 009B82DA
(, xrefs: 009B82F0

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: f437807ad0426c1f20ea837ac9978c7f6df0c7d51cdc25aa3bbe6fb231fd403e
Instruction ID: b4fe12e028cef473e45ad830e42fdcb6045b0d454c8c83e60c380b8b8e1c0528
Opcode Fuzzy Hash: f437807ad0426c1f20ea837ac9978c7f6df0c7d51cdc25aa3bbe6fb231fd403e
Instruction Fuzzy Hash: FC323675A00605DFCB28CF59C581AAAB7F4FF48720B15C56EE49ADB3A1EB70E941CB40

Function 009C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009C5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 009C5D17
FindClose.KERNEL32(?), ref: 009C5D5F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 82a8793b136e6e02a9875ae1aff2afd7b0bb527962f2e4a97b97613adc9ab16e
Instruction ID: 1dcb9bd9588f5a2a9f9417410a895776bef3b1b70ca1bce95598bdd6a1059e2b
Opcode Fuzzy Hash: 82a8793b136e6e02a9875ae1aff2afd7b0bb527962f2e4a97b97613adc9ab16e
Instruction Fuzzy Hash: FE516674A047019FC714CF28C494E96B7E8BF49324F15855DE9AA8B3A2DB30FD45CB92

Function 00982622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0098271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00982724
UnhandledExceptionFilter.KERNEL32(?), ref: 00982731

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cd0b63fc9e72da9e90848e087c7e7eb9b36f50ba213b66c0e9c4a7a9955cef5c
Instruction ID: 25d086ba2495837bc4217624b119882eaff1cca3a12f51e6edd9b51649f72a9d
Opcode Fuzzy Hash: cd0b63fc9e72da9e90848e087c7e7eb9b36f50ba213b66c0e9c4a7a9955cef5c
Instruction Fuzzy Hash: 8931B375911318ABCB21DF68DD897DDBBB8AF48710F5081EAE81CA7261E7309F818F45

Function 009C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009C5238
SetErrorMode.KERNEL32(00000000), ref: 009C52A1

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f45befbcab4b28c1e8fc0fb1688f083c826cdefa751b58108fb4bc060d172dc6
Instruction ID: b33ccaab0f1bc9b87ad38cba80baa12a62f77a4244c51b6d0f2fab182741b547
Opcode Fuzzy Hash: f45befbcab4b28c1e8fc0fb1688f083c826cdefa751b58108fb4bc060d172dc6
Instruction Fuzzy Hash: 6F313A75A00618DFDB00DF94D884FADBBB4FF48314F058099E845AB362DB35E85ACB91

Function 009B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0096FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00970668
Part of subcall function 0096FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00970685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B173A
GetLastError.KERNEL32 ref: 009B174A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 17298817812315a2627150486e40cda5669af4c9f7f054d4b5fc46e8ae728c5f
Instruction ID: f586d772ab09de9f1a91237e95412dcf2dd2ac0de305a293fb5d8cb2ea802257
Opcode Fuzzy Hash: 17298817812315a2627150486e40cda5669af4c9f7f054d4b5fc46e8ae728c5f
Instruction Fuzzy Hash: 3511E3B2414305AFD7189F54ECC6EABB7BDEB44724B20852EF05657281EB70FC428B60

Function 009BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 009BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009BD650

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 368a8d4a790aa62a87c8104d606e422231223af7312ad3a211ce141c5973f6e8
Instruction ID: e13dad5c03c77bfee20124ec3e5c5244a8724db7fc4c39f6d731fcbdc693d170
Opcode Fuzzy Hash: 368a8d4a790aa62a87c8104d606e422231223af7312ad3a211ce141c5973f6e8
Instruction Fuzzy Hash: AF117CB1E05228BBDB108F949C84FEFBFBCEB45B60F108111F904E7290D2704A018BA1

Function 009B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009B16A1
FreeSid.ADVAPI32(?), ref: 009B16B1

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b5fd90ec8014832ca60a1a2feeb019a73e7c4b6d215956aa3bcc4e919cba904f
Instruction ID: 504eedd41d76ac265328f044fbb9f42ec7b5b0375a8d5ad0d9096063d64b74a8
Opcode Fuzzy Hash: b5fd90ec8014832ca60a1a2feeb019a73e7c4b6d215956aa3bcc4e919cba904f
Instruction Fuzzy Hash: D0F0F4B1950309FBDF00DFE49D89AAEBBBCEB08605F504565E501E6181E774AA449A50

Function 009AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 009AD28C

Strings

X64, xrefs: 009AD2A8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 3a00d7356f50d1d1396d8b1afc01ae264771d507cb40ca12043c7704dfaafa87
Instruction ID: 1d02a49d64785e41255f9f1c2f747e428b6a5ed6272d859e287802f86caf8718
Opcode Fuzzy Hash: 3a00d7356f50d1d1396d8b1afc01ae264771d507cb40ca12043c7704dfaafa87
Instruction Fuzzy Hash: ABD0C9B481611DEACF90DB90DCC8DD9B37CBB04305F100551F506A2000D73495499F50

Function 0097CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 2a3e3a8fe29ae918bc43b47790ad41a20336ed06c68d3b64b909746b51d068a9
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: FA021DB2E001199FDF24CFA9C8806ADBBF5EF88314F25856DD919E7380D731AE418B94

Function 009C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009C6918
FindClose.KERNEL32(00000000), ref: 009C6961

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 775c7bbc8c937ec9bb28e5bd727ac64881df45e3078d77ff17e50582fb7b6cc8
Instruction ID: a970dbd92eade25528ae9a902611754bf38ad05e96d5b934499d44fc5227c256
Opcode Fuzzy Hash: 775c7bbc8c937ec9bb28e5bd727ac64881df45e3078d77ff17e50582fb7b6cc8
Instruction Fuzzy Hash: 3B117C71A142009FC710DF6AD885B16BBE5EF89329F14C69DE8698F2A2C730EC05CB91

Function 009C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,009D4891,?,?,00000035,?), ref: 009C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,009D4891,?,?,00000035,?), ref: 009C37F4

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 436f616c40b75b95d0a63c168dc3b699dcce24e410bd49ef2f7decdba30eb49a
Instruction ID: 9d50ad0d401a1c446e3a35bab905d37c43605033b838564819cf215712f1141e
Opcode Fuzzy Hash: 436f616c40b75b95d0a63c168dc3b699dcce24e410bd49ef2f7decdba30eb49a
Instruction Fuzzy Hash: 15F0ECB16043196AE71057668C4DFEB365EEFC5761F004165F509D2281D9609D04C7B1

Function 009BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 009BB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 009BB270

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 853c8c0a72a43675891e2e37e84af0422f723a402c2eb4bb9f11449d42384bd7
Instruction ID: 2cc06d150d43b86b70fad47049e6480da8c758cb9bfd49046083ce62c427909c
Opcode Fuzzy Hash: 853c8c0a72a43675891e2e37e84af0422f723a402c2eb4bb9f11449d42384bd7
Instruction Fuzzy Hash: 4DF01D7181428DABDB059FA1C805BEE7BB4FF04315F008409F965A9191C779D6119F94

Function 009B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B11FC), ref: 009B10D4
CloseHandle.KERNEL32(?,?,009B11FC), ref: 009B10E9

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 98ab9747b2f867f0adae473ef504e15ba700e9db07841b8845391e89f08f09cd
Instruction ID: 0f64de77e90fe30508aa698211aa2cf40b5c09e6ea1a0777ea58dbfeabcd84a6
Opcode Fuzzy Hash: 98ab9747b2f867f0adae473ef504e15ba700e9db07841b8845391e89f08f09cd
Instruction Fuzzy Hash: FAE04F72018600AEE7252B11FC05F737BADEB04320F10882EF4A5844B1DB626C90EB10

Function 0095CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 009A0C40

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 1a3cb024bb8fa4ffab279a2c5d74d86efbbb7629f0456e32f3c2125ae1346412
Instruction ID: 39af28ff27029acbfe7254b68ffc5f70a9f69936bc8d2fecf98eb2236d76eacc
Opcode Fuzzy Hash: 1a3cb024bb8fa4ffab279a2c5d74d86efbbb7629f0456e32f3c2125ae1346412
Instruction Fuzzy Hash: 86327AB09003189FCF14DF95C885BEDB7B9BF85305F248459EC06AB292D775AE49CB60

Function 0098676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00986766,?,?,00000008,?,?,0098FEFE,00000000), ref: 00986998

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48ab1851aef3568f68c8e37f52544a3c4b9c118adb458ab4f1a4bd2a1464ddac
Instruction ID: 2bb04ee265b5b26e717a8568b5ea0adfea49c234894c128cf265cd18c2cf94c5
Opcode Fuzzy Hash: 48ab1851aef3568f68c8e37f52544a3c4b9c118adb458ab4f1a4bd2a1464ddac
Instruction Fuzzy Hash: 41B13A31610609DFD719DF28C48AB657BE0FF45364F258658E89ACF3A2C736E991CB40

Function 0096B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 009A851F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fbf2f4147e9f6c8c403bc2f503e27289b8feb6b0264ec3d123aacd23618f5150
Instruction ID: db6bf6da0f881d202701081602e4a315e00172200923fc0d6d7d6a344eb52d4c
Opcode Fuzzy Hash: fbf2f4147e9f6c8c403bc2f503e27289b8feb6b0264ec3d123aacd23618f5150
Instruction Fuzzy Hash: 661230719002299FDB14CF58C8807EEB7F5FF49710F14819AE849EB255EB349E81CB90

Function 009CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 009CEABD

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e464d515dec6cec28fb4ab23621ea49c1180122db7293349b5000e4a50ffc73a
Instruction ID: e09263689145c2bcb40e907678f98b9e2d9415550ef2c9db8d0ac68946af9176
Opcode Fuzzy Hash: e464d515dec6cec28fb4ab23621ea49c1180122db7293349b5000e4a50ffc73a
Instruction Fuzzy Hash: A2E01A752102049FC710EF6AD844E9AB7E9AF98760F00841AFC4ACB291DA70A8458B91

Function 009709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009703EE), ref: 009709DA

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8cc5d2634f85f80753af343b0bbf1de7ae55a1e32236db00ed9e861c5fb04cdd
Instruction ID: 0c3688862f74e0f2b0020909b79d01f97799eae263cdb8fb561baad70f3dceb5
Opcode Fuzzy Hash: 8cc5d2634f85f80753af343b0bbf1de7ae55a1e32236db00ed9e861c5fb04cdd
Instruction Fuzzy Hash:

Function 0097781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0097798B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 8415728957ff13f459aa341b8aa1ddd1bbfaa42a1c1d029692f5be0c6ad55429
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2251246360D705ABDB3885E8C89E7FEE39D9B82340F18C919D98ED7282C615DE01D397

Function 00986DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90aabb33b83efc9119c6d00f9504735d421c0f4739cabeb8f2de4c054113cbfb
Instruction ID: 8455fa4eec3ebc8349c972ba2fecc8002249810634199cf83d162fed61e64e52
Opcode Fuzzy Hash: 90aabb33b83efc9119c6d00f9504735d421c0f4739cabeb8f2de4c054113cbfb
Instruction Fuzzy Hash: 1C32E321D3DF014DD723A634D862335A649AFB73C5F25D737F82AB5AA5EB29C4839200

Function 0096CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e88e67fe02cc198a326b0d3ee156241c9aa08722007e52aa9eeed87819d1910
Instruction ID: 86676dca6fd5a1f798212d512d09aa7265f233c8cf835a66f241121a40f31cb9
Opcode Fuzzy Hash: 3e88e67fe02cc198a326b0d3ee156241c9aa08722007e52aa9eeed87819d1910
Instruction Fuzzy Hash: C83249F2A041058BDF24CF2CC4946BD77A9EF46314F298966E4DADF291D238DD81DB90

Function 00957920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62928e4766e792ce36909f81d6697aafff5369ad8a6484336bec0cfda1400c97
Instruction ID: 8d7367d8d3eae76a1633b6fb5e6b6abd14818db38eeb94343da798bd6837d789
Opcode Fuzzy Hash: 62928e4766e792ce36909f81d6697aafff5369ad8a6484336bec0cfda1400c97
Instruction Fuzzy Hash: E222C1B0A0460ADFDF14CFA9D881AAEF7B5FF44300F114529E816A7291EB3A9E55CB50

Function 009591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2257a6d13f676d7c6f19e2ba557d4c09224c19ad8a18463e332ff0d37844deb4
Instruction ID: 6d94cae95cb9decb06d7f8c2f6dc73f3b3e04542bfe36c85ef44fba55b207705
Opcode Fuzzy Hash: 2257a6d13f676d7c6f19e2ba557d4c09224c19ad8a18463e332ff0d37844deb4
Instruction Fuzzy Hash: D202E7B1E00209EBDF04DF59D881BADBBB5FF44300F108569E8569B290EB35EE15CB91

Function 00989EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da925daf0f5bf2b7b61cccf4df4b65f42ecfcd74e9e6634eaa1af891030548fb
Instruction ID: aa45e08197413cc5e4ec7b8bd30c0b6904ac105790b81d57c8ccebe4ebef8753
Opcode Fuzzy Hash: da925daf0f5bf2b7b61cccf4df4b65f42ecfcd74e9e6634eaa1af891030548fb
Instruction Fuzzy Hash: E4B1F220D3AF414DD72396398831336B65CAFBB6D5F91D71BFC2674D22EB2686839240

Function 00971C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: d27ebe5f0793acf4693da80121f414e7c965682d5be1640e3c810269be559624
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 649187732080A34BDB2D463E857503EFFE55E923A131A879ED4FACA1C1FE24C954DA20

Function 00971F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7a29ca44380402d21491d9520e638023395e7ec391a068fda88f1cc9c10b1ed8
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: EC91867321D0A34EDB29433D857503EFFE59A923A131A879ED4FACB1C5EE24C554D620

Function 009719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: dee935ad5c4851c8f1f8644f69a8a3242c1a4ee090688998ce9f86e41b8e7686
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3891B5732090A34BDB2D427E847503DFFE95A923A131E879ED4FACA1C5FE24C658D620

Function 00977A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fbb3aa8e4b9e637f4fb2ee4830aa6e2131af5e073dc7507728c6456bb43b96
Instruction ID: b050c125d3976f127da9406931bf504741f8505c9309949b3e87dfa907e3f8d7
Opcode Fuzzy Hash: 28fbb3aa8e4b9e637f4fb2ee4830aa6e2131af5e073dc7507728c6456bb43b96
Instruction Fuzzy Hash: C8618B3374870596EE3899E88C96BBFE39CEF81700F14CD19E88ECB281D5159E42C755

Function 00977CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f5897f4371a536d9b944fb2f78976b1166cd34510b4632ff00822420fe631
Instruction ID: f940026c417a1fa2382a75512983d4bb3d4ae7d5ad12402edd167c03a525cad7
Opcode Fuzzy Hash: 4f8f5897f4371a536d9b944fb2f78976b1166cd34510b4632ff00822420fe631
Instruction Fuzzy Hash: 41618933348709A6DE384AE84855BBFE39CEF82704F10CD5AE94ECB2D1EA169D42C355

Function 00971706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 1bede7bf79cdc4fa8d90df90e949faa7b203ca94e2ce64423b9e37ad7557d864
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 278184336080A30BDB6D463E853507EFFE55A923A171A879ED4FACB1C1FE24C558E620

Function 009C2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f93f1b04781bb4fcbd7705bbc9054b35801cd75836d2728ca22772f7004fcbc
Instruction ID: abcc80746b52f89e390b19bbd4b6b0956e87a9c24a26111c3c7d102f88e250d0
Opcode Fuzzy Hash: 4f93f1b04781bb4fcbd7705bbc9054b35801cd75836d2728ca22772f7004fcbc
Instruction Fuzzy Hash: 1621A5326206118BD728CF79C822B7A73E9A754710F15862EE4A7C77D1DE35A905CB80

Function 009D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009D2B30
DeleteObject.GDI32(00000000), ref: 009D2B43
DestroyWindow.USER32 ref: 009D2B52
GetDesktopWindow.USER32 ref: 009D2B6D
GetWindowRect.USER32(00000000), ref: 009D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 009D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 009D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2CF8
GetClientRect.USER32(00000000,?), ref: 009D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D80
GlobalLock.KERNEL32(00000000), ref: 009D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2D98
GlobalUnlock.KERNEL32(00000000), ref: 009D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2DA8
GlobalFree.KERNEL32(00000000), ref: 009D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,009EFC38,00000000), ref: 009D2DDB
GlobalFree.KERNEL32(00000000), ref: 009D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 009D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 009D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009D303F

Strings

DISPLAY, xrefs: 009D2EA2
AutoIt v3, xrefs: 009D2CF2
, xrefs: 009D2FC5
static, xrefs: 009D2D3A, 009D2E91

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 363a7b2b50e8b3a8e6fc774d3cc2d3be66e99a25d2423bdb8de71b83982c0724
Instruction ID: cf0a16c15d10b53454daa66e4e4a0520f45511fb4c511e6758a9536888736c18
Opcode Fuzzy Hash: 363a7b2b50e8b3a8e6fc774d3cc2d3be66e99a25d2423bdb8de71b83982c0724
Instruction Fuzzy Hash: 75028CB1910205AFDB14DFA8CC89EAE7BB9FF48711F008559F915AB2A1D774ED02CB60

Function 009E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009E712F
GetSysColorBrush.USER32(0000000F), ref: 009E7160
GetSysColor.USER32(0000000F), ref: 009E716C
SetBkColor.GDI32(?,000000FF), ref: 009E7186
SelectObject.GDI32(?,?), ref: 009E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 009E71C0
GetSysColor.USER32(00000010), ref: 009E71C8
CreateSolidBrush.GDI32(00000000), ref: 009E71CF
FrameRect.USER32(?,?,00000000), ref: 009E71DE
DeleteObject.GDI32(00000000), ref: 009E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 009E7230
FillRect.USER32(?,?,?), ref: 009E7262
GetWindowLongW.USER32(?,000000F0), ref: 009E7284

Part of subcall function 009E73E8: GetSysColor.USER32(00000012), ref: 009E7421
Part of subcall function 009E73E8: SetTextColor.GDI32(?,?), ref: 009E7425
Part of subcall function 009E73E8: GetSysColorBrush.USER32(0000000F), ref: 009E743B
Part of subcall function 009E73E8: GetSysColor.USER32(0000000F), ref: 009E7446
Part of subcall function 009E73E8: GetSysColor.USER32(00000011), ref: 009E7463
Part of subcall function 009E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009E7471
Part of subcall function 009E73E8: SelectObject.GDI32(?,00000000), ref: 009E7482
Part of subcall function 009E73E8: SetBkColor.GDI32(?,00000000), ref: 009E748B
Part of subcall function 009E73E8: SelectObject.GDI32(?,?), ref: 009E7498
Part of subcall function 009E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009E74B7
Part of subcall function 009E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009E74CE
Part of subcall function 009E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009E74DB

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 27f9053e27b496d5df4741cfd74c29d09f9fbc9d8c4f81abfb456c6030254d39
Instruction ID: 237c6f30d74d1e510338c280b383ffb3e768dbdedb674a60676a51e874bc343a
Opcode Fuzzy Hash: 27f9053e27b496d5df4741cfd74c29d09f9fbc9d8c4f81abfb456c6030254d39
Instruction Fuzzy Hash: 75A1B4B201C341BFD7019FA0DC88E5BBBA9FB49321F100A19FAA29A1E1D735DD45DB52

Function 00968D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00968E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 009A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 009A6F43

Part of subcall function 00968F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00968BE8,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 00968FC5

SendMessageW.USER32(?,00001053), ref: 009A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 009A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 009A6FB7

Strings

0, xrefs: 009A6DCF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f4c99525d28cd510e0ff7422a615d8d0d4de982bd85e7862c9bcfedafa0450bc
Instruction ID: 9209e3af3573b21de9a08a93531058d815e2828a3e8a41b79ea6f10f739fedac
Opcode Fuzzy Hash: f4c99525d28cd510e0ff7422a615d8d0d4de982bd85e7862c9bcfedafa0450bc
Instruction Fuzzy Hash: E312BF70204251DFDB25DF18C888BB6B7F9FB5A310F184569F5858B261CB32EC92DB91

Function 009D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 009D2900
GetClientRect.USER32(00000000,?), ref: 009D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 009D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009D2964
GetStockObject.GDI32(00000011), ref: 009D2974
SelectObject.GDI32(00000000,00000000), ref: 009D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 009D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009D2991
DeleteDC.GDI32(00000000), ref: 009D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 009D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 009D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 009D2A77
GetStockObject.GDI32(00000011), ref: 009D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 009D2A97

Strings

DISPLAY, xrefs: 009D295A
msctls_progress32, xrefs: 009D2A13
AutoIt v3, xrefs: 009D28F8
static, xrefs: 009D294F, 009D2A71

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b09f0fc31254db7d6367056739d9ad6acaab6596f49b6d37cba23921009fdf2b
Instruction ID: 74141b7dc1b9965f06bf037cd8a2533c17e737b6bed088ee779a94f17065a239
Opcode Fuzzy Hash: b09f0fc31254db7d6367056739d9ad6acaab6596f49b6d37cba23921009fdf2b
Instruction Fuzzy Hash: C7B17EB1A40205AFEB24DFA8DC85FAE7BA9FB58711F008115F914EB290D770ED42CB90

Function 009C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C4AED
GetDriveTypeW.KERNEL32(?,009ECB68,?,\\.\,009ECC08), ref: 009C4BCA
SetErrorMode.KERNEL32(00000000,009ECB68,?,\\.\,009ECC08), ref: 009C4D36

Strings

SCSI, xrefs: 009C4C8A
CDROM, xrefs: 009C4BFB
Virtual, xrefs: 009C4CE5
Removable, xrefs: 009C4C10, 009C4C15
Unknown, xrefs: 009C4BED, 009C4C83
PhysicalDrive, xrefs: 009C4B76
SATA, xrefs: 009C4CD0
MMC, xrefs: 009C4CDE
SAS, xrefs: 009C4CC9
ATAPI, xrefs: 009C4C91
SSA, xrefs: 009C4CA6
ATA, xrefs: 009C4C98
USB, xrefs: 009C4CB4
SSD, xrefs: 009C4C4A
Network, xrefs: 009C4C02
FileBackedVirtual, xrefs: 009C4CEC
Fibre, xrefs: 009C4CAD
iSCSI, xrefs: 009C4CC2
RAID, xrefs: 009C4CBB
\\.\, xrefs: 009C4B3F
RAMDisk, xrefs: 009C4BF4
Fixed, xrefs: 009C4C09
1394, xrefs: 009C4C9F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a9ab68e5ab476f4aa3cd0c4ab4d5c44c8302a0dcc1ec3f2e294e9d9373487790
Instruction ID: 71dd3ec434edb98dcc57b088ae4fffee64216d60c4f9b0e885cb2975d16cf7d9
Opcode Fuzzy Hash: a9ab68e5ab476f4aa3cd0c4ab4d5c44c8302a0dcc1ec3f2e294e9d9373487790
Instruction Fuzzy Hash: 3761B130B45505ABDB04DF24DAA2FED77A4AB44300B24481DF886EB2A1DB39ED81DB42

Function 009E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 009E7421
SetTextColor.GDI32(?,?), ref: 009E7425
GetSysColorBrush.USER32(0000000F), ref: 009E743B
GetSysColor.USER32(0000000F), ref: 009E7446
CreateSolidBrush.GDI32(?), ref: 009E744B
GetSysColor.USER32(00000011), ref: 009E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 009E7471
SelectObject.GDI32(?,00000000), ref: 009E7482
SetBkColor.GDI32(?,00000000), ref: 009E748B
SelectObject.GDI32(?,?), ref: 009E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 009E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 009E7572
DrawFocusRect.USER32(?,?), ref: 009E757D
GetSysColor.USER32(00000011), ref: 009E758E
SetTextColor.GDI32(?,00000000), ref: 009E7596
DrawTextW.USER32(?,009E70F5,000000FF,?,00000000), ref: 009E75A8
SelectObject.GDI32(?,?), ref: 009E75BF
DeleteObject.GDI32(?), ref: 009E75CA
SelectObject.GDI32(?,?), ref: 009E75D0
DeleteObject.GDI32(?), ref: 009E75D5
SetTextColor.GDI32(?,?), ref: 009E75DB
SetBkColor.GDI32(?,?), ref: 009E75E5

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: a9ee5d60f14f88cb63f11547062515f95945021e60406e9257d7432b49c9daba
Instruction ID: 13029f3f2a2b66d7ff52084f81979634ee7e0e7316d8c7f34e34e102dafdf3cf
Opcode Fuzzy Hash: a9ee5d60f14f88cb63f11547062515f95945021e60406e9257d7432b49c9daba
Instruction Fuzzy Hash: D9618FB2908258AFDF019FA4DC88EEEBFB9EB08320F104115F911AB2A1D7749D41DF90

Function 009E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009E1128
GetDesktopWindow.USER32 ref: 009E113D
GetWindowRect.USER32(00000000), ref: 009E1144
GetWindowLongW.USER32(?,000000F0), ref: 009E1199
DestroyWindow.USER32(?), ref: 009E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 009E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 009E1245
IsWindowVisible.USER32(00000000), ref: 009E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009E12D0
GetWindowRect.USER32(00000000,?), ref: 009E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 009E130E
GetMonitorInfoW.USER32(00000000,?), ref: 009E1328
CopyRect.USER32(?,?), ref: 009E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009E13AA

Strings

0, xrefs: 009E10D3
tooltips_class32, xrefs: 009E11E6
(, xrefs: 009E131B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0883299ebe630b5209770505c2be0ab4cbb3c7682d7b378e8441367b03ecb00c
Instruction ID: 16b91cc4acb99825e15dd3265baa3ae73ec8660e2cd2036d471e87c92145d2ac
Opcode Fuzzy Hash: 0883299ebe630b5209770505c2be0ab4cbb3c7682d7b378e8441367b03ecb00c
Instruction Fuzzy Hash: 6EB17C71608381AFDB15DF66C884B6BBBE4FF88750F008918F9999B2A1D731EC45CB91

Function 00968891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00968968
GetSystemMetrics.USER32(00000007), ref: 00968970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0096899B
GetSystemMetrics.USER32(00000008), ref: 009689A3
GetSystemMetrics.USER32(00000004), ref: 009689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00968A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00968A3C
GetClientRect.USER32(00000000,000000FF), ref: 00968A5A
GetStockObject.GDI32(00000011), ref: 00968A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00968A81

Part of subcall function 0096912D: GetCursorPos.USER32(?), ref: 00969141
Part of subcall function 0096912D: ScreenToClient.USER32(00000000,?), ref: 0096915E
Part of subcall function 0096912D: GetAsyncKeyState.USER32(00000001), ref: 00969183
Part of subcall function 0096912D: GetAsyncKeyState.USER32(00000002), ref: 0096919D

SetTimer.USER32(00000000,00000000,00000028,009690FC), ref: 00968AA8

Strings

AutoIt v3 GUI, xrefs: 00968A20

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 42bb7e8bb46c0c02d2b903de02089187b7df5b8f9240847c811ff61b6e9c8a69
Instruction ID: c999d280c84e49393ad3a69b43ff358625cfb952fdfab5258bddbd3f691671c5
Opcode Fuzzy Hash: 42bb7e8bb46c0c02d2b903de02089187b7df5b8f9240847c811ff61b6e9c8a69
Instruction Fuzzy Hash: 63B17E71A04209AFDF14DFA8DC85BAE3BB5FB48314F144229FA55AB290DB34E842CF50

Function 009B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B1114
Part of subcall function 009B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1120
Part of subcall function 009B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B112F
Part of subcall function 009B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1136
Part of subcall function 009B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009B0E29
GetLengthSid.ADVAPI32(?), ref: 009B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 009B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009B0E96
GetLengthSid.ADVAPI32(?), ref: 009B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009B0EB5
HeapAlloc.KERNEL32(00000000), ref: 009B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009B0EDD
CopySid.ADVAPI32(00000000), ref: 009B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0F6E
HeapFree.KERNEL32(00000000), ref: 009B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0F7E
HeapFree.KERNEL32(00000000), ref: 009B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B0F8E
HeapFree.KERNEL32(00000000), ref: 009B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 009B0FA1
HeapFree.KERNEL32(00000000), ref: 009B0FA8

Part of subcall function 009B1193: GetProcessHeap.KERNEL32(00000008,009B0BB1,?,00000000,?,009B0BB1,?), ref: 009B11A1
Part of subcall function 009B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009B0BB1,?), ref: 009B11A8
Part of subcall function 009B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009B0BB1,?), ref: 009B11B7

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3ff0cf65ed2b44c0a112d55c713b6595a674d607242e5537c0c7ba493ac2c942
Instruction ID: aff6879755e041f6f85ff92c6bc9be66160656b8753a4165eaa68ae0489449d8
Opcode Fuzzy Hash: 3ff0cf65ed2b44c0a112d55c713b6595a674d607242e5537c0c7ba493ac2c942
Instruction Fuzzy Hash: 45716CB2A0420AABDF209FA4DD48BEFBBBCBF45311F048155F959AA191D7319E05CB60

Function 009DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,009ECC08,00000000,?,00000000,?,?), ref: 009DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 009DC5A4
_wcslen.LIBCMT ref: 009DC5F4
_wcslen.LIBCMT ref: 009DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 009DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 009DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 009DC84D
RegCloseKey.ADVAPI32(?), ref: 009DC881
RegCloseKey.ADVAPI32(00000000), ref: 009DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 009DC960

Strings

REG_SZ, xrefs: 009DC644
REG_QWORD, xrefs: 009DC8C3
REG_BINARY, xrefs: 009DC913
REG_MULTI_SZ, xrefs: 009DC6F5
REG_EXPAND_SZ, xrefs: 009DC5CD
REG_DWORD, xrefs: 009DC804

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 762696328cee07aa6fe16ab8e4640fa5d46485925b5ca31555caf85aac20e4df
Instruction ID: 63e6fc838bb3e93d613441f6cdb0056771f4ed42bca72b0ccab52eee89f76338
Opcode Fuzzy Hash: 762696328cee07aa6fe16ab8e4640fa5d46485925b5ca31555caf85aac20e4df
Instruction Fuzzy Hash: CD1267756082019FCB14DF15C891F2AB7E5EF88725F04885DF88A9B3A2DB31ED46CB81

Function 009E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009E09C6
_wcslen.LIBCMT ref: 009E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E0A54
_wcslen.LIBCMT ref: 009E0A8A
_wcslen.LIBCMT ref: 009E0B06
_wcslen.LIBCMT ref: 009E0B81

Part of subcall function 0096F9F2: _wcslen.LIBCMT ref: 0096F9FD

Part of subcall function 009B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009B2BFA

Strings

GETTEXT, xrefs: 009E0C97
ISCHECKED, xrefs: 009E0CE1
EXISTS, xrefs: 009E0B7C, 009E0B97
SELECT, xrefs: 009E0D11
COLLAPSE, xrefs: 009E0B01, 009E0B1C
EXPAND, xrefs: 009E0BF8
GETITEMCOUNT, xrefs: 009E0C1E
GETTOTALCOUNT, xrefs: 009E09F2, 009E0A17
UNCHECK, xrefs: 009E0D3E
GETSELECTED, xrefs: 009E0C4E
CHECK, xrefs: 009E0A85, 009E0AA0

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c215b63f5b676024bca536e8067fe0f4e484f3614eebb4cd57226d39a91c1b33
Instruction ID: 710281a93adbd41ddd280339e55c8ae3a4753acd02f207f700e9a934bfa3d46e
Opcode Fuzzy Hash: c215b63f5b676024bca536e8067fe0f4e484f3614eebb4cd57226d39a91c1b33
Instruction Fuzzy Hash: 97E18C312083819FCB15DF26C450A6AB7E5BFD8314F14895DF8969B3A2D770ED8ACB81

Function 009DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
_wcslen.LIBCMT ref: 009DC9F1
_wcslen.LIBCMT ref: 009DCA68
_wcslen.LIBCMT ref: 009DCA9E
_wcslen.LIBCMT ref: 009DCAF9
_wcslen.LIBCMT ref: 009DCB2F
_wcslen.LIBCMT ref: 009DCB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 009DCAF3, 009DCAF8
HKEY_USERS, xrefs: 009DCBDF
HKEY_CURRENT_USER, xrefs: 009DCBBD
HKEY_CURRENT_CONFIG, xrefs: 009DCB79, 009DCB7E
HKCU, xrefs: 009DCBCE
HKU, xrefs: 009DCBF0
HKCR, xrefs: 009DCB29, 009DCB2E
HKLM, xrefs: 009DCA98, 009DCA9D
HKCC, xrefs: 009DCBAC
HKEY_LOCAL_MACHINE, xrefs: 009DCA62, 009DCA67

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7b1a310783454cceabbd162492e10b0877bb52d2dca91a78e750f069d5275244
Instruction ID: 452bb24f9fcf85d8f535b94fa9c9af4f21a4fdc1c494866fa896cce5e1cad278
Opcode Fuzzy Hash: 7b1a310783454cceabbd162492e10b0877bb52d2dca91a78e750f069d5275244
Instruction Fuzzy Hash: 4A7107B369012B8BCB20DE7CCD516BE33A9ABA0794F158927FC559B384E634CD85C390

Function 009E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009E835A
_wcslen.LIBCMT ref: 009E836E
_wcslen.LIBCMT ref: 009E8391
_wcslen.LIBCMT ref: 009E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,009E361A,?), ref: 009E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009E8501
FreeLibrary.KERNEL32(?), ref: 009E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009E851D
DestroyIcon.USER32(?), ref: 009E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009E8555

Strings

.dll, xrefs: 009E83AB
.icl, xrefs: 009E8368
.exe, xrefs: 009E8388

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: eade99f8bc756127ea5069b125551ac63f44ced0e36d22f6dc0195c6ca02aac6
Instruction ID: 2df8330fad290379b79a03a795f2aebfaa4c7eed49e8fe55efdb559f8142bad5
Opcode Fuzzy Hash: eade99f8bc756127ea5069b125551ac63f44ced0e36d22f6dc0195c6ca02aac6
Instruction Fuzzy Hash: 7F61DDB1504245BAEB15DFA5CC81BBF77ACBB48B11F104549F819DA0E1EF74AE80D7A0

Function 00957778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00995169
#comments-start, xrefs: 0095785F, 009578B1
#ce, xrefs: 009578ED
#cs, xrefs: 00957873, 009578C5
#pragma compile, xrefs: 009577D3
Cannot parse #include, xrefs: 00995279
#OnAutoItStartRegister, xrefs: 00957817
#include-once, xrefs: 0095782F
#notrayicon, xrefs: 009577E7
#requireadmin, xrefs: 009577FF
", xrefs: 00995153
Unterminated group of comments, xrefs: 0099528C
#comments-end, xrefs: 009578D9
#include, xrefs: 00957847
Bad directive syntax error, xrefs: 0099519A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f7460ba52c03f3fbce5ca29791bf2581b107452dadd9f864a7fe839591be997a
Instruction ID: 7639fbaee686c5218b3a07f144b51f528458b5b037d0b320e0866b2d6b90ec52
Opcode Fuzzy Hash: f7460ba52c03f3fbce5ca29791bf2581b107452dadd9f864a7fe839591be997a
Instruction Fuzzy Hash: 48813871644205BBDF22EFA5EC52FAF77A8AF84301F144425FD08AA192EB70DB05C7A1

Function 009C3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 009C3EF8
_wcslen.LIBCMT ref: 009C3F03
_wcslen.LIBCMT ref: 009C3F5A
_wcslen.LIBCMT ref: 009C3F98
GetDriveTypeW.KERNEL32(?), ref: 009C3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C4087

Strings

open, xrefs: 009C3F54, 009C3F59
closed, xrefs: 009C3F08, 009C3F2D, 009C3F46, 009C3F7E, 009C3F97
close, xrefs: 009C3EFE, 009C3F18
type cdaudio alias cd wait, xrefs: 009C4001
set cd door , xrefs: 009C4028
close cd wait, xrefs: 009C4072
open , xrefs: 009C3FE5
wait, xrefs: 009C4044

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 8a21dddb658556b7c90849f3ee7db841fa8bf377c686d5d1a5b9cf23aad72ed7
Instruction ID: ab8968649e312b619c66f5893c91b283de076387edcfa2f542b5242d9347e9a8
Opcode Fuzzy Hash: 8a21dddb658556b7c90849f3ee7db841fa8bf377c686d5d1a5b9cf23aad72ed7
Instruction Fuzzy Hash: BF71C072A043019FD310EF25C891AAAB7F8EF94754F408D2DF99697251EB30DE49CB92

Function 009B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 009B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009B5A40
SetWindowTextW.USER32(?,?), ref: 009B5A57
GetDlgItem.USER32(?,000003EA), ref: 009B5A6C
SetWindowTextW.USER32(00000000,?), ref: 009B5A72
GetDlgItem.USER32(?,000003E9), ref: 009B5A82
SetWindowTextW.USER32(00000000,?), ref: 009B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009B5AC3
GetWindowRect.USER32(?,?), ref: 009B5ACC
_wcslen.LIBCMT ref: 009B5B33
SetWindowTextW.USER32(?,?), ref: 009B5B6F
GetDesktopWindow.USER32 ref: 009B5B75
GetWindowRect.USER32(00000000), ref: 009B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 009B5BD3
GetClientRect.USER32(?,?), ref: 009B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 009B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009B5C2F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f55e72ffbfc74703e0789bf898618cc5ddecff4df07c3391c4ef3888b19f84f8
Instruction ID: b3005c29732dd52f1f664d678f378facbdcb528844b1c9850f6dcb0e6cc6a7f6
Opcode Fuzzy Hash: f55e72ffbfc74703e0789bf898618cc5ddecff4df07c3391c4ef3888b19f84f8
Instruction Fuzzy Hash: 93717D71900B09AFDB20DFA8CE85BAEBBF9FF48714F114918E582A65A0D775ED41CB10

Function 009CFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 009CFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 009CFE32
LoadCursorW.USER32(00000000,00007F00), ref: 009CFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 009CFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 009CFE53
LoadCursorW.USER32(00000000,00007F01), ref: 009CFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 009CFE69
LoadCursorW.USER32(00000000,00007F88), ref: 009CFE74
LoadCursorW.USER32(00000000,00007F80), ref: 009CFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 009CFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 009CFE95
LoadCursorW.USER32(00000000,00007F85), ref: 009CFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 009CFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 009CFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 009CFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 009CFECC
GetCursorInfo.USER32(?), ref: 009CFEDC
GetLastError.KERNEL32 ref: 009CFF1E

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 4bdab874a027bc2bf49c2e1520bd31aa17414cb98b07088546cfeef1cff4388e
Instruction ID: ade280c84d06999da94addf674898015bcc0093520430e140ef64a2dba7baebb
Opcode Fuzzy Hash: 4bdab874a027bc2bf49c2e1520bd31aa17414cb98b07088546cfeef1cff4388e
Instruction Fuzzy Hash: 754172B0D083196ADB10DFBA8C89D5EBFE9FF04354B50452AE11DEB281DB78A901CF91

Function 009700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009700C6

Part of subcall function 009700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A2070C,00000FA0,BA3915DD,?,?,?,?,009923B3,000000FF), ref: 0097011C
Part of subcall function 009700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009923B3,000000FF), ref: 00970127
Part of subcall function 009700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009923B3,000000FF), ref: 00970138
Part of subcall function 009700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0097014E
Part of subcall function 009700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0097015C
Part of subcall function 009700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0097016A
Part of subcall function 009700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00970195
Part of subcall function 009700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009701A0

___scrt_fastfail.LIBCMT ref: 009700E7

Part of subcall function 009700A3: __onexit.LIBCMT ref: 009700A9

Strings

kernel32.dll, xrefs: 00970133
InitializeConditionVariable, xrefs: 00970148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00970122
SleepConditionVariableCS, xrefs: 00970154
WakeAllConditionVariable, xrefs: 00970162

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 19f3f82f25a79e75878e9f6a98597283c6948491cb4d5bca7727e4674ca4f44b
Instruction ID: 7c462ba25f2fb1341ed2931692c7db7c4e020e1c12c825523a88fb1cee9383c3
Opcode Fuzzy Hash: 19f3f82f25a79e75878e9f6a98597283c6948491cb4d5bca7727e4674ca4f44b
Instruction Fuzzy Hash: E4213B7364C750EFD7215BA8AC56F6A3798EBC4F64F00813AF805A76D2DB709C018A90

Function 009B30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B318D
_wcslen.LIBCMT ref: 009B31F8

Strings

REGEXPCLASS, xrefs: 009B3255, 009B3266
CLASS, xrefs: 009B3188, 009B31A5
CLASSNN, xrefs: 009B31F3, 009B3204
TEXT, xrefs: 009B347C
INSTANCE, xrefs: 009B3453
NAME, xrefs: 009B3335, 009B3346

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1309930b6c4e3c80246f002da48bb7c545d8dc613fb6993a6329a2055a5c183d
Instruction ID: 6c2c34751254481a147b91b0fdf6aa66e19f283a7825be09f1957b1a386bddde
Opcode Fuzzy Hash: 1309930b6c4e3c80246f002da48bb7c545d8dc613fb6993a6329a2055a5c183d
Instruction Fuzzy Hash: 48E10832A04516EBCB24DF78C5517EEBBB9BF84720F54C519E45AF7240DB30AE898790

Function 009C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,009ECC08), ref: 009C4527
_wcslen.LIBCMT ref: 009C453B
_wcslen.LIBCMT ref: 009C4599
_wcslen.LIBCMT ref: 009C45F4
_wcslen.LIBCMT ref: 009C463F
_wcslen.LIBCMT ref: 009C46A7

Part of subcall function 0096F9F2: _wcslen.LIBCMT ref: 0096F9FD

GetDriveTypeW.KERNEL32(?,00A16BF0,00000061), ref: 009C4743

Strings

fixed, xrefs: 009C4635, 009C463A
ramdisk, xrefs: 009C46F1
cdrom, xrefs: 009C458F, 009C4594
removable, xrefs: 009C45EA, 009C45EF
all, xrefs: 009C4531, 009C4536
network, xrefs: 009C469D, 009C46A2
unknown, xrefs: 009C4708

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ea5f49c11d6004608cbc648858e0d8ac303c85749554530870167b84e79f9922
Instruction ID: dc63a89a82abc69c8a9863f0999fcbe9d3a4753ce8c6f6a7d7ac4fbd9a241ab7
Opcode Fuzzy Hash: ea5f49c11d6004608cbc648858e0d8ac303c85749554530870167b84e79f9922
Instruction Fuzzy Hash: BDB1DE71A083029BC710DF28C9A0F6AB7E9AFE5764F50491DF596C7296D730D848CBA3

Function 009D3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009ECC08), ref: 009D40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009D40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,009ECC08), ref: 009D40F2
FreeLibrary.KERNEL32(00000000,?,009ECC08), ref: 009D413E
StringFromGUID2.OLE32(?,?,00000028,?,009ECC08), ref: 009D41A8
SysFreeString.OLEAUT32(00000009), ref: 009D4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009D42C8
SysFreeString.OLEAUT32(?), ref: 009D42F2

Strings

kernel32.dll, xrefs: 009D40B6
GetModuleHandleExW, xrefs: 009D40C7

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: e6c63b03a24e65692c9c506ef0e88d9fc4185636e423db7d287aca5f94caf165
Instruction ID: 6e9f91d51c5226baf33200a1c5faf8618100916fb73c64d05b369ebaefb2abfa
Opcode Fuzzy Hash: e6c63b03a24e65692c9c506ef0e88d9fc4185636e423db7d287aca5f94caf165
Instruction Fuzzy Hash: 0A122975A00109EFDB14CF94C884EAEB7B9BF85314F24C099F945AB261D731ED86CBA0

Function 0095326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00A21990), ref: 00992F8D
GetMenuItemCount.USER32(00A21990), ref: 0099303D
GetCursorPos.USER32(?), ref: 00993081
SetForegroundWindow.USER32(00000000), ref: 0099308A
TrackPopupMenuEx.USER32(00A21990,00000000,?,00000000,00000000,00000000), ref: 0099309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009930A9

Strings

0, xrefs: 0095327D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 8fc3b8a443589769a01fc58a27846a4877c5744ac0852a5479ab667722fc12b4
Instruction ID: fb121b27b722a7c1fe1876d0f35e22ea1e0fd2f64e05b95592074fe42aafc914
Opcode Fuzzy Hash: 8fc3b8a443589769a01fc58a27846a4877c5744ac0852a5479ab667722fc12b4
Instruction Fuzzy Hash: F6710770644205BEEF21CF69CC89FAABF68FF45364F204216F9256A1E0C7B1AD14DB90

Function 009E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 009E6DEB

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E6E94
DestroyWindow.USER32(?), ref: 009E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00950000,00000000), ref: 009E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E6EFD
GetDesktopWindow.USER32 ref: 009E6F16
GetWindowRect.USER32(00000000), ref: 009E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009E6F4D

Part of subcall function 00969944: GetWindowLongW.USER32(?,000000EB), ref: 00969952

Strings

0, xrefs: 009E6D98
tooltips_class32, xrefs: 009E6E58, 009E6EDD

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 09790e4f818f9de5e40466b514577bf4660bdde4f5d4d085195300305cc3f96e
Instruction ID: 154488f543ad2a1b2a82cd5cfae058e48d492cb1d21c898f95ee5822a3e8ae77
Opcode Fuzzy Hash: 09790e4f818f9de5e40466b514577bf4660bdde4f5d4d085195300305cc3f96e
Instruction Fuzzy Hash: DE7168B0104285AFDB22CF19D884BBABBE9FB99744F04081DF999872A1C770ED46DB11

Function 009E911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

DragQueryPoint.SHELL32(?,?), ref: 009E9147

Part of subcall function 009E7674: ClientToScreen.USER32(?,?), ref: 009E769A
Part of subcall function 009E7674: GetWindowRect.USER32(?,?), ref: 009E7710
Part of subcall function 009E7674: PtInRect.USER32(?,?,009E8B89), ref: 009E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 009E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 009E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 009E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 009E9277
DragFinish.SHELL32(?), ref: 009E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009E9371

Strings

@GUI_DROPID, xrefs: 009E929E
@GUI_DRAGID, xrefs: 009E92E9
@GUI_DRAGFILE, xrefs: 009E9320

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: ef9cdbe806441d9317427ee89d7d75309774a144a6665692c1f422030eea718e
Instruction ID: d6d0b0ca413415deb220c677dd169f8aa82f9811a4bd22f501636fea56292665
Opcode Fuzzy Hash: ef9cdbe806441d9317427ee89d7d75309774a144a6665692c1f422030eea718e
Instruction Fuzzy Hash: D1618B71108341AFD701DF65DC85EAFBBE8EFC9750F00092EF995962A1DB309A4ACB52

Function 009CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 009CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009CC5F0
InternetCloseHandle.WININET(00000000), ref: 009CC5FB

Strings

, xrefs: 009CC575

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 568731b8c05923d91d1bd5f81b54b3b4c1572892b034cc5fe1dd88f7dcb7c73a
Instruction ID: b2dcae4306e7131d567f5ce4be970710a16aaa3149adad4143720f2897f8e927
Opcode Fuzzy Hash: 568731b8c05923d91d1bd5f81b54b3b4c1572892b034cc5fe1dd88f7dcb7c73a
Instruction Fuzzy Hash: F4514BF1904245BFEB218F64C988FAA7FBCEB08744F00841DF99996250DB35ED45AB62

Function 009E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 009E8592
GetFileSize.KERNEL32(00000000,00000000), ref: 009E85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 009E85AD
CloseHandle.KERNEL32(00000000), ref: 009E85BA
GlobalLock.KERNEL32(00000000), ref: 009E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 009E85D7
GlobalUnlock.KERNEL32(00000000), ref: 009E85E0
CloseHandle.KERNEL32(00000000), ref: 009E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 009E85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,009EFC38,?), ref: 009E8611
GlobalFree.KERNEL32(00000000), ref: 009E8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 009E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 009E8671
DeleteObject.GDI32(00000000), ref: 009E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009E86AF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b7028634b470e419334104c494d84d82f74c23aadb03b51e391f2ce30016c006
Instruction ID: e44273a1c1c8e5e4f23b7a1ffeec68148814711263cdfe183cc596ea4aa71fb1
Opcode Fuzzy Hash: b7028634b470e419334104c494d84d82f74c23aadb03b51e391f2ce30016c006
Instruction Fuzzy Hash: 1E410BB5614244AFDB119FA5CC88EAB7BBCEB89B15F104058F959EB260DB309D02DB60

Function 009C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 009C1502
VariantCopy.OLEAUT32(?,?), ref: 009C150B
VariantClear.OLEAUT32(?), ref: 009C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 009C1657
VariantInit.OLEAUT32(?), ref: 009C1708
SysFreeString.OLEAUT32(?), ref: 009C178C
VariantClear.OLEAUT32(?), ref: 009C17D8
VariantClear.OLEAUT32(?), ref: 009C17E7
VariantInit.OLEAUT32(00000000), ref: 009C1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 009C1625
Default, xrefs: 009C16AF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 00cf4331a7705bc465e958cde754e0e95ed21f5c98649d61c43fe1851ee14afa
Instruction ID: 6ff3a542dcca134e365c9120762add4a98c7c8659cecdccdfe38c6a001cc09fb
Opcode Fuzzy Hash: 00cf4331a7705bc465e958cde754e0e95ed21f5c98649d61c43fe1851ee14afa
Instruction Fuzzy Hash: 8BD11E71A00200EBDB00DF65E894F79B7B5BF8A700F50849AF846AB192DB34EC45DB66

Function 009DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 009DB80A
RegCloseKey.ADVAPI32(?), ref: 009DB87E
RegCloseKey.ADVAPI32(?), ref: 009DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 009DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 009DB922
FreeLibrary.KERNEL32(00000000), ref: 009DB983
RegCloseKey.ADVAPI32(00000000), ref: 009DB994

Strings

advapi32.dll, xrefs: 009DB8ED
RegDeleteKeyExW, xrefs: 009DB8FE

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: de012b9e1e6310a142d1d82afc43b2c6744424f3e788b5c5fbb77cc961cf839c
Instruction ID: 17e6c9040edebedf6ecf5e4152cb46dbef82d3b4a617298652d365cd794b7be3
Opcode Fuzzy Hash: de012b9e1e6310a142d1d82afc43b2c6744424f3e788b5c5fbb77cc961cf839c
Instruction Fuzzy Hash: 5BC17974208241EFD710DF25C494F2ABBE5AF84318F15C95DE89A8B3A2CB35ED46CB91

Function 009D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009D25E8
CreateCompatibleDC.GDI32(?), ref: 009D25F4
SelectObject.GDI32(00000000,?), ref: 009D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 009D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009D26D0
SelectObject.GDI32(?,?), ref: 009D26D8
DeleteObject.GDI32(?), ref: 009D26E1
DeleteDC.GDI32(?), ref: 009D26E8
ReleaseDC.USER32(00000000,?), ref: 009D26F3

Strings

(, xrefs: 009D268D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f67edded1e2a5e1dfb28e7cb6b411984b02984faee571aef888c40a1cc735ce8
Instruction ID: 205d2056404760184b8475d4fc17042502bedb0662f96b4fc2ce2da529bc178b
Opcode Fuzzy Hash: f67edded1e2a5e1dfb28e7cb6b411984b02984faee571aef888c40a1cc735ce8
Instruction Fuzzy Hash: 0B61E1B5D04219EFCF15CFA8D884AAEBBB5FF48310F20852AE955A7350D770AD419F60

Function 0098DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0098DAA1

Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D659
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D66B
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D67D
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D68F
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6A1
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6B3
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6C5
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6D7
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6E9
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D6FB
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D70D
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D71F
Part of subcall function 0098D63C: _free.LIBCMT ref: 0098D731

_free.LIBCMT ref: 0098DA96

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098DAB8
_free.LIBCMT ref: 0098DACD
_free.LIBCMT ref: 0098DAD8
_free.LIBCMT ref: 0098DAFA
_free.LIBCMT ref: 0098DB0D
_free.LIBCMT ref: 0098DB1B
_free.LIBCMT ref: 0098DB26
_free.LIBCMT ref: 0098DB5E
_free.LIBCMT ref: 0098DB65
_free.LIBCMT ref: 0098DB82
_free.LIBCMT ref: 0098DB9A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 55df7a2a93b356bfb12be21056b3894361fafb0bbf7a2f3eff0e20fec061d886
Instruction ID: 46494809a82e50a5c4c6c81c6b631d2e6d7aa685886a74b325194b4ecc6bfb49
Opcode Fuzzy Hash: 55df7a2a93b356bfb12be21056b3894361fafb0bbf7a2f3eff0e20fec061d886
Instruction Fuzzy Hash: FA3136326452059FEB26BB39E945B5AB7EDFF40320F264429E449D7391DF36ED808B20

Function 009B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009B369C
_wcslen.LIBCMT ref: 009B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009B3797
GetClassNameW.USER32(?,?,00000400), ref: 009B380C
GetDlgCtrlID.USER32(?), ref: 009B385D
GetWindowRect.USER32(?,?), ref: 009B3882
GetParent.USER32(?), ref: 009B38A0
ScreenToClient.USER32(00000000), ref: 009B38A7
GetClassNameW.USER32(?,?,00000100), ref: 009B3921
GetWindowTextW.USER32(?,?,00000400), ref: 009B395D

Strings

%s%u, xrefs: 009B3734

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: dde9e14a25ccae5513bb06166cd1150bc7d3dbe659f634c1021726cd149aa19a
Instruction ID: 6ad36c49f65f7733b4bcd3ee2849f3138ef6ac932370ca90875ab82671574454
Opcode Fuzzy Hash: dde9e14a25ccae5513bb06166cd1150bc7d3dbe659f634c1021726cd149aa19a
Instruction Fuzzy Hash: 7191BF71204606EFD719DF24C985BEAB7ACFF44760F00C629F999D6190EB30EA46CB91

Function 009B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 009B4994
GetWindowTextW.USER32(?,?,00000400), ref: 009B49DA
_wcslen.LIBCMT ref: 009B49EB
CharUpperBuffW.USER32(?,00000000), ref: 009B49F7
_wcsstr.LIBVCRUNTIME ref: 009B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 009B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 009B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 009B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 009B4B20
GetWindowRect.USER32(?,?), ref: 009B4B8B

Strings

ThumbnailClass, xrefs: 009B4A6F, 009B4AF1

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: c53feb133727f32932f65f8e2dde5a67c56c9daf7cf28e080612f4bc0ee73978
Instruction ID: 1b46c4f153e76f5e575663dd9c19c9d81cdf4e464b8f20c5222a1f4355bbc3c8
Opcode Fuzzy Hash: c53feb133727f32932f65f8e2dde5a67c56c9daf7cf28e080612f4bc0ee73978
Instruction Fuzzy Hash: 8F91AE720082059BDB04DF14CA81BEA77ACFF84724F048469FE859A196DB30ED45DBA1

Function 009BBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00A21990,000000FF,00000000,00000030), ref: 009BBFAC
SetMenuItemInfoW.USER32(00A21990,00000004,00000000,00000030), ref: 009BBFE1
Sleep.KERNEL32(000001F4), ref: 009BBFF3
GetMenuItemCount.USER32(?), ref: 009BC039
GetMenuItemID.USER32(?,00000000), ref: 009BC056
GetMenuItemID.USER32(?,-00000001), ref: 009BC082
GetMenuItemID.USER32(?,?), ref: 009BC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009BC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009BC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009BC145

Strings

0, xrefs: 009BBF3D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 5bc1ec0f839de31d59e7ae96ae4fac62ede5a42aeec2106071c06119c66aff6d
Instruction ID: b29e76c28a3ecf61e0dbbfcd7e2774441415716b9fe6b7cfc2e3fbe150590ae8
Opcode Fuzzy Hash: 5bc1ec0f839de31d59e7ae96ae4fac62ede5a42aeec2106071c06119c66aff6d
Instruction Fuzzy Hash: D161A0F091424AAFDF11DF68CE88AFE7BB8EB45364F004015F851A7291C775AD05DB60

Function 009DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 009DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009DCD48

Part of subcall function 009DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 009DCCAA
Part of subcall function 009DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 009DCCBD
Part of subcall function 009DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009DCCCF
Part of subcall function 009DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009DCD05
Part of subcall function 009DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 009DCCF3

Strings

advapi32.dll, xrefs: 009DCCB8
RegDeleteKeyExW, xrefs: 009DCCC9

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 7cf92af53f40c1f5739451b887b3dcfd3fdec5ab065bf0adad6286977d6d25db
Instruction ID: bbf09895b1c3d89d5ac85801be6b3af232e5629d99e2bc5c233f340fc1da95bc
Opcode Fuzzy Hash: 7cf92af53f40c1f5739451b887b3dcfd3fdec5ab065bf0adad6286977d6d25db
Instruction Fuzzy Hash: BA3180B1955129BBDB208BA0DC88EFFBB7CEF45740F004566F945E7240D7349E46EAA0

Function 009C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009C3D40
_wcslen.LIBCMT ref: 009C3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 009C3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009C3DBE
RemoveDirectoryW.KERNEL32(?), ref: 009C3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009C3E55
CloseHandle.KERNEL32(00000000), ref: 009C3E60
CloseHandle.KERNEL32(00000000), ref: 009C3E6B

Strings

\??\%s, xrefs: 009C3D5B
\, xrefs: 009C3D77
:, xrefs: 009C3D82

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 0b909c73fdceec20540084ff81f8dea72749e38985fed830a3fb64be565754c2
Instruction ID: 119e49196cd73be7f881c7d5dc3f3e6fe38f5201761f82cdda4db09edc92efcb
Opcode Fuzzy Hash: 0b909c73fdceec20540084ff81f8dea72749e38985fed830a3fb64be565754c2
Instruction Fuzzy Hash: 8C31B6B2914249ABDB20DBA0DC89FEF37BCEF88700F1081B9F619D6190E77497458B25

Function 009BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009BE6B4

Part of subcall function 0096E551: timeGetTime.WINMM(?,?,009BE6D4), ref: 0096E555

Sleep.KERNEL32(0000000A), ref: 009BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 009BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009BE727
SetActiveWindow.USER32 ref: 009BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 009BE773
Sleep.KERNEL32(000000FA), ref: 009BE77E
IsWindow.USER32 ref: 009BE78A
EndDialog.USER32(00000000), ref: 009BE79B

Strings

BUTTON, xrefs: 009BE719

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c31d7c21d200581744421b4612cbf5dd45652c0b5343b071914c4d7895ce77bf
Instruction ID: e7d7b5d89359de258b91869cf4b233f76aaf47d7ad39017b892985b6884187a8
Opcode Fuzzy Hash: c31d7c21d200581744421b4612cbf5dd45652c0b5343b071914c4d7895ce77bf
Instruction Fuzzy Hash: 5021A4B1214245BFEB20DFA4EEC9BB63B6DFB54758B101434F841952A1DF71AC039B14

Function 009BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009BEAA7

Strings

play PlayMe wait, xrefs: 009BEA91
close PlayMe, xrefs: 009BEA6E, 009BEA9B
status PlayMe mode, xrefs: 009BEA58
open , xrefs: 009BEA0C
alias PlayMe, xrefs: 009BEA36
play PlayMe, xrefs: 009BEAA2

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ee9dfa7ba0a7b78f8cd2b3e513a1c2252a9c235accea7a71ae92f19cf46b16ae
Instruction ID: 3076dbbee648d580d2b750f947304f59e5fccada280ac02e5451f5266d55aad8
Opcode Fuzzy Hash: ee9dfa7ba0a7b78f8cd2b3e513a1c2252a9c235accea7a71ae92f19cf46b16ae
Instruction Fuzzy Hash: 80112131A5125D7AD720E7A6DD4AEFF6A7CFBD1B50F4008297811E20D1EE705989C6B0

Function 009B9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009BA012
SetKeyboardState.USER32(?), ref: 009BA07D
GetAsyncKeyState.USER32(000000A0), ref: 009BA09D
GetKeyState.USER32(000000A0), ref: 009BA0B4
GetAsyncKeyState.USER32(000000A1), ref: 009BA0E3
GetKeyState.USER32(000000A1), ref: 009BA0F4
GetAsyncKeyState.USER32(00000011), ref: 009BA120
GetKeyState.USER32(00000011), ref: 009BA12E
GetAsyncKeyState.USER32(00000012), ref: 009BA157
GetKeyState.USER32(00000012), ref: 009BA165
GetAsyncKeyState.USER32(0000005B), ref: 009BA18E
GetKeyState.USER32(0000005B), ref: 009BA19C

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5a4e7f017bc3cce6f8f20895d32ac84914991c5e1bf954b4b9bcec53126ef1c0
Instruction ID: 00dd209277ba7c8a77d2bbdbe223685d2925290e58bea8beae6f80deac68dac6
Opcode Fuzzy Hash: 5a4e7f017bc3cce6f8f20895d32ac84914991c5e1bf954b4b9bcec53126ef1c0
Instruction Fuzzy Hash: 8951EB3090878829FB35EB748A557FABFF89F123A0F084599D5C25B1C2DA54AE4CC762

Function 009B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 009B5CE2
GetWindowRect.USER32(00000000,?), ref: 009B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 009B5D59
GetDlgItem.USER32(?,00000002), ref: 009B5D69
GetWindowRect.USER32(00000000,?), ref: 009B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 009B5DCF
GetDlgItem.USER32(?,000003E9), ref: 009B5DDD
GetWindowRect.USER32(00000000,?), ref: 009B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 009B5E31
GetDlgItem.USER32(?,000003EA), ref: 009B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 009B5E67

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: da628df0aa2687552f5e9fc7bf137d02e36011eaaf6af5faa4b267daf4c3d442
Instruction ID: d82b332825363e6dc14d9ab1b178dbea27b152c93325b4bd4212d547186ffe80
Opcode Fuzzy Hash: da628df0aa2687552f5e9fc7bf137d02e36011eaaf6af5faa4b267daf4c3d442
Instruction Fuzzy Hash: 24512EB0A10605AFDF18CF68CD89BAEBBB9FB48710F158229F915E6290D7709E01CB50

Function 00968BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00968F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00968BE8,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 00968FC5

DestroyWindow.USER32(?), ref: 00968C81
KillTimer.USER32(00000000,?,?,?,?,00968BBA,00000000,?), ref: 00968D1B
DestroyAcceleratorTable.USER32(00000000), ref: 009A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 009A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00968BBA,00000000,?), ref: 009A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00968BBA,00000000), ref: 009A69D4
DeleteObject.GDI32(00000000), ref: 009A69E6

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ed1b22c1c84559e6c5cf4dc91f0a9e2cb09b9d33c16c2e7eef0c3f5bb1708c53
Instruction ID: 6d2886fd67849b16931dfabb52ac601d7872f071ecd51b77eb9c4e7586fe7484
Opcode Fuzzy Hash: ed1b22c1c84559e6c5cf4dc91f0a9e2cb09b9d33c16c2e7eef0c3f5bb1708c53
Instruction Fuzzy Hash: E0618C71502700DFCB35DF28DA98B2677F5FB95312F144A28E0829A5A0CB39ADD2DF91

Function 00969838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00969944: GetWindowLongW.USER32(?,000000EB), ref: 00969952

GetSysColor.USER32(0000000F), ref: 00969862

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 72e1b8831a1a59bd06e0b864e0869d6f46a499452503d14eacc077a3ead4305d
Instruction ID: 70d2c3145295e52a2a9c2c11b81b52720e5bfab5e4b902b7a57a507cd94e08bd
Opcode Fuzzy Hash: 72e1b8831a1a59bd06e0b864e0869d6f46a499452503d14eacc077a3ead4305d
Instruction Fuzzy Hash: E041A171508644AFDB209F789C89BBA3BADFB47370F144619F9A28B1E1D7319C42EB50

Function 009B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0099F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 009B9717
LoadStringW.USER32(00000000,?,0099F7F8,00000001), ref: 009B9720

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0099F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 009B9742
LoadStringW.USER32(00000000,?,0099F7F8,00000001), ref: 009B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 009B9866

Strings

^ ERROR, xrefs: 009B97FB
Error: , xrefs: 009B981D
Line %d (File "%s"):, xrefs: 009B978F
Line %d:, xrefs: 009B97A0
%s (%d) : ==> %s: %s %s, xrefs: 009B984A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3cd51d43e58a4bd653868b1330655ef9b9f48c48a2cee96b335e262cc905a45c
Instruction ID: eec89d7f676ce539b65ad1b1274ad5b5f24c1a7d4afaee596ce67a4d4bbeac17
Opcode Fuzzy Hash: 3cd51d43e58a4bd653868b1330655ef9b9f48c48a2cee96b335e262cc905a45c
Instruction Fuzzy Hash: D3416D72800219AADF04EBE1DE86FEE7378AF94341F504465FA05B2092EB356F49CB61

Function 009B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 009B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009B083C

Strings

SOFTWARE\Classes\, xrefs: 009B070E
\CLSID, xrefs: 009B0724
\IPC$, xrefs: 009B0784

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 86a388efcdc5341db28bf83ecd439fa9b49768995b83c92633406c62bd91d644
Instruction ID: 80352a75c40eec10f869100cb7dbd45c71631cfd0522389d493997e01e723da9
Opcode Fuzzy Hash: 86a388efcdc5341db28bf83ecd439fa9b49768995b83c92633406c62bd91d644
Instruction Fuzzy Hash: CE410672C1022DEBDF15EBA4DC959EEB778FF84351B444529E901A7161EB309E48CBA0

Function 009E3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009E403B
CreateCompatibleDC.GDI32(00000000), ref: 009E4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009E4055
SelectObject.GDI32(00000000,00000000), ref: 009E405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 009E4068
DeleteDC.GDI32(00000000), ref: 009E4072
GetWindowLongW.USER32(?,000000EC), ref: 009E407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 009E4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 009E409E

Strings

static, xrefs: 009E3FD3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3f4c0ded37c3ce8693dd495a9db5528e7c6c63cee2473c3a5241099ff72a1451
Instruction ID: ac4706e4eac66d022b83a27a160d3c1873aceeaa82fd9b96fcf46b57159a614a
Opcode Fuzzy Hash: 3f4c0ded37c3ce8693dd495a9db5528e7c6c63cee2473c3a5241099ff72a1451
Instruction Fuzzy Hash: AD317A72514295BBDF229FA5CC49FEA3B69FF0D725F000220FA68A61A0C775DC11EB50

Function 009D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D3C5C
CoInitialize.OLE32(00000000), ref: 009D3C8A
CoUninitialize.OLE32 ref: 009D3C94
_wcslen.LIBCMT ref: 009D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 009D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 009D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 009D3F0E
CoGetObject.OLE32(?,00000000,009EFB98,?), ref: 009D3F2D
SetErrorMode.KERNEL32(00000000), ref: 009D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009D3FC4
VariantClear.OLEAUT32(?), ref: 009D3FD8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3161a81d879f39099ac0d7e0f2bac1944506d6e5694cf9c8bc6dce2d43ca59d0
Instruction ID: dcf6548ed667ba5d1147ebc4d248b55f425afa58af07c216a771230163e0d308
Opcode Fuzzy Hash: 3161a81d879f39099ac0d7e0f2bac1944506d6e5694cf9c8bc6dce2d43ca59d0
Instruction Fuzzy Hash: E9C114B16083059FD700DF68C88492BB7E9FF89745F14891EF98A9B251D731EE06CB62

Function 009C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 009C7BA3
CoCreateInstance.OLE32(009EFD08,00000000,00000001,00A16E6C,?), ref: 009C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009C7C74
CoTaskMemFree.OLE32(?,?), ref: 009C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 009C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009C7D7A
CoTaskMemFree.OLE32(00000000), ref: 009C7D81
CoTaskMemFree.OLE32(00000000), ref: 009C7DD6
CoUninitialize.OLE32 ref: 009C7DDC

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d6c6684d173b54ab44d8e9c8c2e317b3b8ee289cc8422a73da113441b0a76735
Instruction ID: e7055a5ecc5d387a1eff0615fb354cf52a8fea76516bb99e13b004c773b8ad6e
Opcode Fuzzy Hash: d6c6684d173b54ab44d8e9c8c2e317b3b8ee289cc8422a73da113441b0a76735
Instruction Fuzzy Hash: 6FC10A75A04109AFDB14DFA4C884EAEBBB9FF48304B148499E85A9B261D730EE45CF91

Function 009E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E5515
CharNextW.USER32(00000158), ref: 009E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E55AC

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: da8a29cddcacd18707f6a8bb75604eb824775b1ce847e5472d49f2520d9ccdbf
Instruction ID: 64be8aa66051b20bafa1c4ff4882875f5df7fffa00e98102b14e55756ddad282
Opcode Fuzzy Hash: da8a29cddcacd18707f6a8bb75604eb824775b1ce847e5472d49f2520d9ccdbf
Instruction Fuzzy Hash: 3B61E170904689EFDF12CF96CC84AFE3B79EB09728F114005F925AB2A1D7348E81DB60

Function 009AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 009AFB08
VariantInit.OLEAUT32(?), ref: 009AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 009AFB3A
VariantCopy.OLEAUT32(?,?), ref: 009AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 009AFBA1
VariantClear.OLEAUT32(?), ref: 009AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 009AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009AFBCC
VariantClear.OLEAUT32(?), ref: 009AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009AFBE9

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a56b582851937497fbcc927c63d82471e60a7b748f57f4775e7476ee922ab559
Instruction ID: 5bdd74bd05f8f468f655ec66273a638099962e02838a9bd211e3816f114e219e
Opcode Fuzzy Hash: a56b582851937497fbcc927c63d82471e60a7b748f57f4775e7476ee922ab559
Instruction Fuzzy Hash: C2414275A04219AFCB00DFA4D8A4DADBBB9FF49344F008065F955AB261D730ED46CBA0

Function 009B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 009B9D22
GetKeyState.USER32(000000A0), ref: 009B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 009B9D57
GetKeyState.USER32(000000A1), ref: 009B9D6C
GetAsyncKeyState.USER32(00000011), ref: 009B9D84
GetKeyState.USER32(00000011), ref: 009B9D96
GetAsyncKeyState.USER32(00000012), ref: 009B9DAE
GetKeyState.USER32(00000012), ref: 009B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 009B9DD8
GetKeyState.USER32(0000005B), ref: 009B9DEA

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ed56272fc14f300a4e1d4c61fc608b1934ef4397ceb0f47458303c82c2d94005
Instruction ID: d465e2de76a05bb90310cb8576fe78c4f8f781f93e3a06353c38948aaa7d7a36
Opcode Fuzzy Hash: ed56272fc14f300a4e1d4c61fc608b1934ef4397ceb0f47458303c82c2d94005
Instruction Fuzzy Hash: 96411D305287C96DFF30876186443F5BEE86F51324F44805AE7C65A2C2DBA4ADC8C791

Function 009D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009D05BC
inet_addr.WSOCK32(?), ref: 009D061C
gethostbyname.WSOCK32(?), ref: 009D0628
IcmpCreateFile.IPHLPAPI ref: 009D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009D07B9
WSACleanup.WSOCK32 ref: 009D07BF

Strings

Ping, xrefs: 009D0676

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8e27814de8a288cc07e3df73cc59e10aa9708cfd011b136338ed219aeea6d2a4
Instruction ID: 31cefd3351f91da1320320d0f75df291bc590a594beccc4afb627c4535a852bd
Opcode Fuzzy Hash: 8e27814de8a288cc07e3df73cc59e10aa9708cfd011b136338ed219aeea6d2a4
Instruction Fuzzy Hash: C4917C756482419FD320CF15D889B1ABBE4AF84318F14C5AAF8A98F7A2C730ED45CF91

Function 009D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 009D8CF3

Part of subcall function 009B8E54: _wcslen.LIBCMT ref: 009B8E77

_wcslen.LIBCMT ref: 009D8D4E
_wcslen.LIBCMT ref: 009D8D9C
_wcslen.LIBCMT ref: 009D8DDC
_wcslen.LIBCMT ref: 009D8E6E

Strings

stdcall, xrefs: 009D8DD6, 009D8DDB
none, xrefs: 009D8E65, 009D8E6A
winapi, xrefs: 009D8D96, 009D8D9B
cdecl, xrefs: 009D8D48, 009D8D4D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5ee006f4e4bdc839d6e132ed96472eea97f4da425d02245d4fc61c287b2ed41e
Instruction ID: 511fead7c20a2d319eacc5fd9380a7bc0ad3a8a8af90f6a3472844d8e7cd84f0
Opcode Fuzzy Hash: 5ee006f4e4bdc839d6e132ed96472eea97f4da425d02245d4fc61c287b2ed41e
Instruction Fuzzy Hash: 7551B831A401169BCF14EF68C9405BF77BABF64750720861AE926E73C6DB34DD40CBA0

Function 009D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 009D3774
CoUninitialize.OLE32 ref: 009D377F
CoCreateInstance.OLE32(?,00000000,00000017,009EFB78,?), ref: 009D37D9
IIDFromString.OLE32(?,?), ref: 009D384C
VariantInit.OLEAUT32(?), ref: 009D38E4
VariantClear.OLEAUT32(?), ref: 009D3936

Strings

NULL Pointer assignment, xrefs: 009D381E
Invalid parameter, xrefs: 009D3865
Failed to create object, xrefs: 009D37E4, 009D389A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 34118a57f074ec5aaa05c59f07e5fbe937e1125d888d25769474aa648f4cfe9c
Instruction ID: 30f90b376d1e875ad6eaa150c2871000e16e79d711eff9ab1b5d5a60c3e227d2
Opcode Fuzzy Hash: 34118a57f074ec5aaa05c59f07e5fbe937e1125d888d25769474aa648f4cfe9c
Instruction Fuzzy Hash: FC61AFB0648701AFD310DF54C888F5AB7E8AF88712F00880AF9859B391D770EE49DB93

Function 009C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009C33CF

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009C33F0

Strings

Incorrect parameters to object property !, xrefs: 009C34AB
^ ERROR , xrefs: 009C349E
"%s" (%d) : ==> %s:, xrefs: 009C3522
Error: , xrefs: 009C34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 009C3504
Line %d (File "%s"):, xrefs: 009C3443, 009C345C

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 449e0bdb5c2f1a19374f469a066a59b2c377992217d9d166fb80aa42a364c1fd
Instruction ID: e6a0a8b48234574de293bb05d50c1bbc76ccf27f40a63598df19fe0ec9deb998
Opcode Fuzzy Hash: 449e0bdb5c2f1a19374f469a066a59b2c377992217d9d166fb80aa42a364c1fd
Instruction Fuzzy Hash: C8518C72D00209BADF15EBA1CD42FEEB379AF54341F508465B90972062EB312F59DB61

Function 009BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009BB5FC
_wcslen.LIBCMT ref: 009BB608
_wcslen.LIBCMT ref: 009BB64D
_wcslen.LIBCMT ref: 009BB68C
_wcslen.LIBCMT ref: 009BB6C7

Strings

KEYS, xrefs: 009BB647, 009BB64C
APPEND, xrefs: 009BB6C1, 009BB6C6
REMOVE, xrefs: 009BB602, 009BB607
EXISTS, xrefs: 009BB686, 009BB68B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 94e2a11fdc4ca1915811470a698481f5b3bef1bf19de5a83bffcb2bd2dd25bee
Instruction ID: b69c18ec6f89461e81d1496c4469caed31ee3a5a321511f0adfb3d90a2647eb1
Opcode Fuzzy Hash: 94e2a11fdc4ca1915811470a698481f5b3bef1bf19de5a83bffcb2bd2dd25bee
Instruction Fuzzy Hash: 6E41D632A00026DBCB209F7DCE905FE77A9AFA0BB4B244529E565DB2C4E775CD81C790

Function 009C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009C5416
GetLastError.KERNEL32 ref: 009C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 009C54A7

Strings

UNKNOWN, xrefs: 009C5444
INVALID, xrefs: 009C5459
READY, xrefs: 009C5460, 009C5468
READONLY, xrefs: 009C5452
NOTREADY, xrefs: 009C544B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e4688b2c3baddd7e89f5a14125598b2a2a447e26d8d1313dee2686731a99b1a7
Instruction ID: d55ed2eba99ba5c624eef8b1ee53dc416fecd32f2a91559a6039fcb9e52c9644
Opcode Fuzzy Hash: e4688b2c3baddd7e89f5a14125598b2a2a447e26d8d1313dee2686731a99b1a7
Instruction Fuzzy Hash: 07319C75E006049FD714DF68C884FAABBB8EB45305F158069E805CF2A2DB34EDC6CB92

Function 009E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 009E3C79
SetMenu.USER32(?,00000000), ref: 009E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E3D10
IsMenu.USER32(?), ref: 009E3D24
CreatePopupMenu.USER32 ref: 009E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E3D5B
DrawMenuBar.USER32 ref: 009E3D63

Strings

F, xrefs: 009E3D4E
0, xrefs: 009E3C54

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d6ab2ed9a3e4aaf70948b366915bf3ee0c8bb5a7f7bd25fdcba5bbcacc5f8e18
Instruction ID: 7318a986a2b53aa2768751030f112cf7088683accc032fc925f9f6eeb3d779fb
Opcode Fuzzy Hash: d6ab2ed9a3e4aaf70948b366915bf3ee0c8bb5a7f7bd25fdcba5bbcacc5f8e18
Instruction Fuzzy Hash: 1A418D75A05249EFDB14CF65D888AAA77B9FF49300F144028F9469B3A0D730AE51DF90

Function 009B1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 009B1F64
GetDlgCtrlID.USER32 ref: 009B1F6F
GetParent.USER32 ref: 009B1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B1F8E
GetDlgCtrlID.USER32(?), ref: 009B1F97
GetParent.USER32(?), ref: 009B1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B1FAE

Strings

ComboBox, xrefs: 009B1EEC
ListBox, xrefs: 009B1F21

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8808ef6c58260232367d1ca8137b33e486a7cb43642a4ce7118cae3809b2875d
Instruction ID: 46280b3594095c71e00964419037747c030e1b48c093c76e96490d36a234653d
Opcode Fuzzy Hash: 8808ef6c58260232367d1ca8137b33e486a7cb43642a4ce7118cae3809b2875d
Instruction Fuzzy Hash: 9421D074904214BBDF00EFA0CC95AFEBBB8EF45310B504505F9A167291DB345909DB60

Function 009B1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 009B2043
GetDlgCtrlID.USER32 ref: 009B204E
GetParent.USER32 ref: 009B206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B206D
GetDlgCtrlID.USER32(?), ref: 009B2076
GetParent.USER32(?), ref: 009B208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 009B208D

Strings

ComboBox, xrefs: 009B1FCD
ListBox, xrefs: 009B2002

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8348670fb5bd027632ed20268c58a2b3c219f09785732559c8a8fcba6972d0ec
Instruction ID: b656985d06d4890639ed9f8dfd1d3f7a09d61da563a319403b6eb34a462569cd
Opcode Fuzzy Hash: 8348670fb5bd027632ed20268c58a2b3c219f09785732559c8a8fcba6972d0ec
Instruction Fuzzy Hash: 9921D1B5D00218BBDF10EFA4CD85EEEBBB8EF09310F104405F995A71A1DA794919DB60

Function 009E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 009E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 009E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 009E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 009E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 009E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 009E3C13

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5469c192ae416a943a3b4ae75ec597eac22718147ae387340045adf1b1d7f7c6
Instruction ID: 590dfb39be90d24b62de58daea54e178f3f0437ea28f93f88c18c5700457a72e
Opcode Fuzzy Hash: 5469c192ae416a943a3b4ae75ec597eac22718147ae387340045adf1b1d7f7c6
Instruction Fuzzy Hash: 82618E75900248AFDB11DFA8CC85EFE77F8EB49700F1441A9FA15A7291C774AE42DB50

Function 00982C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00982C94

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 00982CA0
_free.LIBCMT ref: 00982CAB
_free.LIBCMT ref: 00982CB6
_free.LIBCMT ref: 00982CC1
_free.LIBCMT ref: 00982CCC
_free.LIBCMT ref: 00982CD7
_free.LIBCMT ref: 00982CE2
_free.LIBCMT ref: 00982CED
_free.LIBCMT ref: 00982CFB

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a159ddd298f86b4ab97f66d852078f1d02a18e61867ca698591c6b42b27f4946
Instruction ID: 17bdaa9b5fb1811522f7bd68468e51d65d15816c37d86ab06334b832dfbd9324
Opcode Fuzzy Hash: a159ddd298f86b4ab97f66d852078f1d02a18e61867ca698591c6b42b27f4946
Instruction Fuzzy Hash: 97117476500108AFCB02FF54DA82EDD3BA9FF45350F5245A5FA489F322DA36EE509B90

Function 009C7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009C7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 009C7FC1
GetFileAttributesW.KERNEL32(?), ref: 009C7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 009C8005
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8017
SetCurrentDirectoryW.KERNEL32(?), ref: 009C8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009C80B0

Strings

*.*, xrefs: 009C8066

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: ce82f0032d27a74a873d353c001943ff5cd82d81bb280b81e1341aeccef2f05e
Instruction ID: 9ea12afc62c2007ba3fb66982d5c0e749d63389f05ab1d985151ce40af6e02d6
Opcode Fuzzy Hash: ce82f0032d27a74a873d353c001943ff5cd82d81bb280b81e1341aeccef2f05e
Instruction Fuzzy Hash: 37817E729082419BCB20DF95C894FAAF3E8BB89350F144C5EF885D7261EB34DD498B53

Function 00955BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00955C7A

Part of subcall function 00955D0A: GetClientRect.USER32(?,?), ref: 00955D30
Part of subcall function 00955D0A: GetWindowRect.USER32(?,?), ref: 00955D71
Part of subcall function 00955D0A: ScreenToClient.USER32(?,?), ref: 00955D99

GetDC.USER32 ref: 009946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00994708
SelectObject.GDI32(00000000,00000000), ref: 00994716
SelectObject.GDI32(00000000,00000000), ref: 0099472B
ReleaseDC.USER32(?,00000000), ref: 00994733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009947C4

Strings

U, xrefs: 00994693

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 05fc6de226fbbf6bff1a411f72640b5bee391f0022b3b1f04f8b786af781eb62
Instruction ID: 81373a3730a56b50202311a59cef5049093931c9350c74ee9d35ba6a054bc7c2
Opcode Fuzzy Hash: 05fc6de226fbbf6bff1a411f72640b5bee391f0022b3b1f04f8b786af781eb62
Instruction Fuzzy Hash: A971E471400209DFCF22CFA8C984EBA3BB9FF4A365F144269ED955A166C3319C42DF50

Function 009C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009C35E4

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

LoadStringW.USER32(00A22390,?,00000FFF,?), ref: 009C360A

Strings

"%s" (%d) : ==> %s:, xrefs: 009C3742
^ ERROR, xrefs: 009C36C9
Error: , xrefs: 009C36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 009C3724
Line %d (File "%s"):, xrefs: 009C366B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 108f00ddeb379e797baa6e509a719c686153c2483b038f46aba11454ed4ada92
Instruction ID: 601f2e316e912343a729247d2f4b26542f8ca1a7403bc91908f4ec4f352f1863
Opcode Fuzzy Hash: 108f00ddeb379e797baa6e509a719c686153c2483b038f46aba11454ed4ada92
Instruction Fuzzy Hash: 77518E72C00209BADF14EBA1CD42FEEBB79EF54341F548129F505720A2EB311B99DB61

Function 009CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009CC2CA
GetLastError.KERNEL32 ref: 009CC322
SetEvent.KERNEL32(?), ref: 009CC336
InternetCloseHandle.WININET(00000000), ref: 009CC341

Strings

, xrefs: 009CC2BB

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2986d13692d900a750dbdba86dd5c1029a59e52d7c3d9b00cb7d7eaff3edd32b
Instruction ID: e53240aef724fdc82c02f29e37a8c4735accde5ef28fa86eee66f8b584af68b9
Opcode Fuzzy Hash: 2986d13692d900a750dbdba86dd5c1029a59e52d7c3d9b00cb7d7eaff3edd32b
Instruction Fuzzy Hash: B0319CF1A04248AFD7219FA49C88FAB7FFCEB49740B14851EF48AD6201DB34DD459B62

Function 009B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00993AAF,?,?,Bad directive syntax error,009ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009B98BC
LoadStringW.USER32(00000000,?,00993AAF,?), ref: 009B98C3

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009B9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 009B98F1
Line %d (File "%s"):, xrefs: 009B992D
Line %d:, xrefs: 009B9912
., xrefs: 009B996D
Error: , xrefs: 009B9955

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 403e02df9b55e0d5d5c445fd74d0919fb005092cbddebb91c397549e5f7ab132
Instruction ID: 481e63b64df5c7bd0b1d986fc9df0dc571306a06f11fcdc6d7ec0ea4cadb2888
Opcode Fuzzy Hash: 403e02df9b55e0d5d5c445fd74d0919fb005092cbddebb91c397549e5f7ab132
Instruction Fuzzy Hash: 1B215C3191021AEBDF15EFA0CC06FEE7739BF58701F044865BA19660A2EA719A58DB10

Function 009B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009B214D

Strings

smallicons, xrefs: 009B2115
largeicons, xrefs: 009B20E1
details, xrefs: 009B20FB
list, xrefs: 009B212F
SHELLDLL_DefView, xrefs: 009B20CC

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 3abd35c1f4d235f6f413fd4930898f9a30369051435f966007a6bfb06de2a7ef
Instruction ID: 91bac71e2b2bb9d4863736ecab7b5ea7566439c391bc4309268447ec31909cf3
Opcode Fuzzy Hash: 3abd35c1f4d235f6f413fd4930898f9a30369051435f966007a6bfb06de2a7ef
Instruction Fuzzy Hash: 251106B7A8C707B9F6052334DD06DE7379CDB45734B20441AFB08E50D2FA696C425A14

Function 00988D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d1514f275db82b3378ca39fb2376403692b8f672e3dfc1fdf66d75ddb1d862
Instruction ID: b8d5c1897c46c6a9e0810b02e27c0c0d8cfe73cec4e3fee038c9c2186a99d8ae
Opcode Fuzzy Hash: 24d1514f275db82b3378ca39fb2376403692b8f672e3dfc1fdf66d75ddb1d862
Instruction Fuzzy Hash: 31C1D275A04249AFCB21FFECC841BBEBBB4AF49310F184159E954AB393C7349942CB61

Function 0098CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0098CEB7
_free.LIBCMT ref: 0098CF22
_free.LIBCMT ref: 0098CF48
_free.LIBCMT ref: 0098CF71
_free.LIBCMT ref: 0098CFA9
_free.LIBCMT ref: 0098CFDA
_free.LIBCMT ref: 0098D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0098D09C
_free.LIBCMT ref: 0098D0B5

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 93b50c13fd6f1326d19a5332acc7e110ebd604365e750cf60c1fbc0231a6c6ce
Instruction ID: 262a41dfe52b9e4d95e0b2f359b9e27524e239bd939010b93d5370dee0b0a590
Opcode Fuzzy Hash: 93b50c13fd6f1326d19a5332acc7e110ebd604365e750cf60c1fbc0231a6c6ce
Instruction Fuzzy Hash: C96129B1905301AFEF35BFB89881B7E7BA9EF45310F14416EFA45A7382D6369D028760

Function 009E50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 009E5186
ShowWindow.USER32(?,00000000), ref: 009E51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009E51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009E51D1

Part of subcall function 009E6FBA: DeleteObject.GDI32(00000000), ref: 009E6FE6

GetWindowLongW.USER32(?,000000F0), ref: 009E520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009E524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 009E5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 009E5296

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 59f989956786fd3aae9d0142226b8fc8c948b3fdce90f6fc94b6d015787bf802
Instruction ID: ca4192b01ab9d6e9c75543366a9e63df7a7f65b2deb95cf4e8ba50d300df4dfa
Opcode Fuzzy Hash: 59f989956786fd3aae9d0142226b8fc8c948b3fdce90f6fc94b6d015787bf802
Instruction Fuzzy Hash: A851E370A54A88BFEF329F26CC45BD93B69FB05369F158011FA249A2E1C375DD80DB40

Function 00968B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 009A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00968874,00000000,00000000,00000000,000000FF,00000000), ref: 009A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00968874,00000000,00000000,00000000,000000FF,00000000), ref: 009A692D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2cec8a9f31dd0bd97278bd89dd51d774c31c8d222e422181557b33f6c55ef4ce
Instruction ID: de3d9b70c828c8587c56e5a76287c21ef99953cf9a02300f263ea78202e5d591
Opcode Fuzzy Hash: 2cec8a9f31dd0bd97278bd89dd51d774c31c8d222e422181557b33f6c55ef4ce
Instruction Fuzzy Hash: 8F518DB0600209EFDB20CF28CC95FAA7BB9FB94750F144618F952972A0DB74ED91DB50

Function 009CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009CC182
GetLastError.KERNEL32 ref: 009CC195
SetEvent.KERNEL32(?), ref: 009CC1A9

Part of subcall function 009CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009CC272
Part of subcall function 009CC253: GetLastError.KERNEL32 ref: 009CC322
Part of subcall function 009CC253: SetEvent.KERNEL32(?), ref: 009CC336
Part of subcall function 009CC253: InternetCloseHandle.WININET(00000000), ref: 009CC341

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 789def14d95b9151189841df7f6142be699f7b9d7b0d4e2f23aa0ebf1884aa2d
Instruction ID: 4ccee4c84bd820613f4c821c4aaf7621faffb5caab8718bf60644989f2536785
Opcode Fuzzy Hash: 789def14d95b9151189841df7f6142be699f7b9d7b0d4e2f23aa0ebf1884aa2d
Instruction Fuzzy Hash: 0E319AB1A04641AFDB219FA5DC44F66BFEDFF58310B04441DF9AA86611C731E811ABA2

Function 009B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B3A57
Part of subcall function 009B3A3D: GetCurrentThreadId.KERNEL32 ref: 009B3A5E
Part of subcall function 009B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009B25B3), ref: 009B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 009B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 009B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 009B2627

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f1877cec4c4d15c691540e8a81b19ca4b599258d09e2ad2065f4efdfaf25f92c
Instruction ID: 75d0a8c1659d77f3e3d750b7a7e7ba4d22e596fd41f2aec8ffe02a54e23d1830
Opcode Fuzzy Hash: f1877cec4c4d15c691540e8a81b19ca4b599258d09e2ad2065f4efdfaf25f92c
Instruction Fuzzy Hash: F501D870398350BBFB1067699CCAF993F59DB8EB22F100011F354AE0D1C9E118459A69

Function 009B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,009B1449,?,?,00000000), ref: 009B180C
HeapAlloc.KERNEL32(00000000,?,009B1449,?,?,00000000), ref: 009B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009B1449,?,?,00000000), ref: 009B1828
GetCurrentProcess.KERNEL32(?,00000000,?,009B1449,?,?,00000000), ref: 009B1830
DuplicateHandle.KERNEL32(00000000,?,009B1449,?,?,00000000), ref: 009B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009B1449,?,?,00000000), ref: 009B1843
GetCurrentProcess.KERNEL32(009B1449,00000000,?,009B1449,?,?,00000000), ref: 009B184B
DuplicateHandle.KERNEL32(00000000,?,009B1449,?,?,00000000), ref: 009B184E
CreateThread.KERNEL32(00000000,00000000,009B1874,00000000,00000000,00000000), ref: 009B1868

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 35b3d6f619d1523faabe0f7b0788bafff59dabcd3965ea6766b6be655fbd75c6
Instruction ID: c91e2a9b3488a70d4f31efbf197a6ed4e4e89416b19bbeb317fe519bc7e965ea
Opcode Fuzzy Hash: 35b3d6f619d1523faabe0f7b0788bafff59dabcd3965ea6766b6be655fbd75c6
Instruction Fuzzy Hash: 7C01A8B5254348BFE610ABA5DC89F6B3BACEB89B11F404411FA45DB1A1CA709C019B20

Function 009DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 009BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 009BD501
Part of subcall function 009BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 009BD50F
Part of subcall function 009BD4DC: CloseHandle.KERNELBASE(00000000), ref: 009BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DA16D
GetLastError.KERNEL32 ref: 009DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 009DA268
GetLastError.KERNEL32(00000000), ref: 009DA273
CloseHandle.KERNEL32(00000000), ref: 009DA2C4

Strings

SeDebugPrivilege, xrefs: 009DA18F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f3347166e892cb75e6e5abab653ede14ba8510be5866fc5f176ad00ca7302830
Instruction ID: d9cfed9d9ee67d9a4bdedb37236aa06e7624b24a7465d1a4d74d773862a2c897
Opcode Fuzzy Hash: f3347166e892cb75e6e5abab653ede14ba8510be5866fc5f176ad00ca7302830
Instruction Fuzzy Hash: B061AE702482429FD710DF19C894F1ABBE5AF84318F14C48DE9664B7A3C776ED49CB92

Function 009E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 009E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009E3954
_wcslen.LIBCMT ref: 009E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009E39F4

Strings

SysListView32, xrefs: 009E38F7

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d9b2e5167ba37b6500b496adcb5c059918208761693450d2ae1fa98aa9cd4288
Instruction ID: 9d8522d67651bf8c3c05ed0d642380d6af5f5854b62413d78ed021eed13cba60
Opcode Fuzzy Hash: d9b2e5167ba37b6500b496adcb5c059918208761693450d2ae1fa98aa9cd4288
Instruction Fuzzy Hash: AB41C371A00259ABEF229F65CC49FEA7BA9FF48350F104526F948E7281D7719E80CB90

Function 009BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009BBCFD
IsMenu.USER32(00000000), ref: 009BBD1D
CreatePopupMenu.USER32 ref: 009BBD53
GetMenuItemCount.USER32(00F45720), ref: 009BBDA4
InsertMenuItemW.USER32(00F45720,?,00000001,00000030), ref: 009BBDCC

Strings

2, xrefs: 009BBD37
0, xrefs: 009BBCA8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 313642c4245e9d4564665079bd744c971cf97388bd4bceeef375ffdd0674e868
Instruction ID: e590e4abef7365812b7effef1a85bd7e5bc7aa4b9045dfcb4ce5dc70e2492e8f
Opcode Fuzzy Hash: 313642c4245e9d4564665079bd744c971cf97388bd4bceeef375ffdd0674e868
Instruction Fuzzy Hash: 0D51AFB0A04205DBDF20CFA8DAC4BEEBBF8AFC5324F144619E5519B2D0D7B89941CB61

Function 009BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009BC913

Strings

question, xrefs: 009BC8CC
warning, xrefs: 009BC8FC
info, xrefs: 009BC8B4
stop, xrefs: 009BC8E4
blank, xrefs: 009BC895

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3cc5140ae1a8291aa8553b93ecd2f57268a1fbf74fdd85aa1aaf174a18f345c0
Instruction ID: f71798ca017de03ac7621d45d280970f820812b7033feaa6c8cca115e7d84b79
Opcode Fuzzy Hash: 3cc5140ae1a8291aa8553b93ecd2f57268a1fbf74fdd85aa1aaf174a18f345c0
Instruction Fuzzy Hash: 331136B2789307BAF7049B149E83DEA379CDF55375B20442AF504E62C2E7B4AE405268

Function 009BDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009BDE42
gethostname.WSOCK32(?,00000100), ref: 009BDE5C
gethostbyname.WSOCK32(?), ref: 009BDE69
inet_ntoa.WSOCK32(?), ref: 009BDEAB
_strcat.LIBCMT ref: 009BDEB9
WSACleanup.WSOCK32 ref: 009BDEDE

Strings

0.0.0.0, xrefs: 009BDE87

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: fcf9cff31fc01be8ef9dfdb78ceefaa1c2646aaeee732816417f0ea02f0e0635
Instruction ID: e8e0cbd24c2729bdf226278be81fd50408e40d0fe438382f7ed7084b5406d247
Opcode Fuzzy Hash: fcf9cff31fc01be8ef9dfdb78ceefaa1c2646aaeee732816417f0ea02f0e0635
Instruction Fuzzy Hash: 68110672904214ABDB20AB20DD4AFEE77ACEF91720F0001A9F549AA091FF75CE819A50

Function 009E9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

GetSystemMetrics.USER32(0000000F), ref: 009E9FC7
GetSystemMetrics.USER32(0000000F), ref: 009E9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 009EA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009EA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009EA263
ShowWindow.USER32(00000003,00000000), ref: 009EA282
InvalidateRect.USER32(?,00000000,00000001), ref: 009EA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 009EA2CA

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: c276242fc349b8c8085c38c36ab83cf999570c5a870808b3f45b6714c99ae7f7
Instruction ID: e0be7e27f76019397944d39ec99ffb87a872177ac79e7927d0e8a37d7249ad61
Opcode Fuzzy Hash: c276242fc349b8c8085c38c36ab83cf999570c5a870808b3f45b6714c99ae7f7
Instruction Fuzzy Hash: 73B1C730600255EFCF15CF6AC9C47AA7BB6BF48711F088069ED99AB2A5DB31AD40CB51

Function 009BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009BED2A
_wcslen.LIBCMT ref: 009BED3B
_wcslen.LIBCMT ref: 009BED79
_wcslen.LIBCMT ref: 009BEDAF
_wcslen.LIBCMT ref: 009BEDDF
_wcslen.LIBCMT ref: 009BEDEF
_wcslen.LIBCMT ref: 009BEE2B
_wcslen.LIBCMT ref: 009BEE5A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d8934dde24263c020790e6e800f6c0f7c3230376936c5e6aea9b765bfc664ab6
Instruction ID: efe7d97adb1630ab58d7e29805d417c8f04a4b23fe679717fae293e416551771
Opcode Fuzzy Hash: d8934dde24263c020790e6e800f6c0f7c3230376936c5e6aea9b765bfc664ab6
Instruction Fuzzy Hash: 2B419666D10118B6CB11EBF4888AACF77BCAF85710F50C566F528E3122FB34E255C7A6

Function 0096F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 0096F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 009AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 009AF454

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 18ef2c9955a9d9b19047f369774cbe1fa5de96f49b593db382e504bc2a7215dc
Instruction ID: 875c879ca13288ca7c963155479500b2cad6e96aa14a6cdac028da6bed5e1856
Opcode Fuzzy Hash: 18ef2c9955a9d9b19047f369774cbe1fa5de96f49b593db382e504bc2a7215dc
Instruction Fuzzy Hash: C1414D70208780BADB398B7DE9FC73A7BE9AB5B354F14483CE09756660C636A881D750

Function 009E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009E2D1B
GetDC.USER32(00000000), ref: 009E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 009E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 009E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009E2DE1

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8779f950778006ef923b248166412f666089b291186a781fdc4b6915177df7ff
Instruction ID: da1967fe54448af3b937e52043ba58935ac5c97cc46bd8b898718e2c90ad34ca
Opcode Fuzzy Hash: 8779f950778006ef923b248166412f666089b291186a781fdc4b6915177df7ff
Instruction Fuzzy Hash: E03189B2215294BBEB218F558C8AFEB3BADEB49721F044055FE489E291C6759C41CBA0

Function 009B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 009B5637
_memcmp.LIBVCRUNTIME ref: 009B5659
_memcmp.LIBVCRUNTIME ref: 009B5671
_memcmp.LIBVCRUNTIME ref: 009B5684
_memcmp.LIBVCRUNTIME ref: 009B569E
_memcmp.LIBVCRUNTIME ref: 009B56B1
_memcmp.LIBVCRUNTIME ref: 009B56C9
_memcmp.LIBVCRUNTIME ref: 009B56E4

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 83e8189dec1072d2faab75f31eaee7ecb2510675e22e611cae2f25342594d924
Instruction ID: b1c04f45ce96ff50effb772eee53031683921d21274b7d7ab66ebcfc02a3a5a3
Opcode Fuzzy Hash: 83e8189dec1072d2faab75f31eaee7ecb2510675e22e611cae2f25342594d924
Instruction Fuzzy Hash: D5212E72740A09F7E61555258F92FFB335CAFA03ACF654035FD089A581FB24EE1182E5

Function 009D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 009D5007
NULL Pointer assignment, xrefs: 009D502E, 009D5383

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 652764d757435c19ca51945d50680485da1dc6aa95aba3ff1391823e2cfdd7c1
Instruction ID: 3e4c2d4d990331c00e0bf309b5cbad3e19c08cfc0fd582ce461225b38b4b6132
Opcode Fuzzy Hash: 652764d757435c19ca51945d50680485da1dc6aa95aba3ff1391823e2cfdd7c1
Instruction Fuzzy Hash: FED1A271A4060A9FDF10CF98C881BAEB7B9BF48344F15C46AE915AB381E770DD45CB90

Function 00991522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 009915CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00991651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009916E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009916FB

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00991777
__freea.LIBCMT ref: 009917A2
__freea.LIBCMT ref: 009917AE

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d0aa6e95ad7746bafd69841ee599aa03141521202356934aa625eb26ce640451
Instruction ID: 5ecc1c136a6fd0c0afe37c5738ac7130d1eeb0fb10c7a3db5e5ccee0c8df8c91
Opcode Fuzzy Hash: d0aa6e95ad7746bafd69841ee599aa03141521202356934aa625eb26ce640451
Instruction Fuzzy Hash: B891B372E002179ADF219EB8C881AEE7BB9BF89710F194659F905E7281D735DC40CB61

Function 009D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D4648
VariantInit.OLEAUT32(?), ref: 009D4749
VariantClear.OLEAUT32(?), ref: 009D4753
VariantClear.OLEAUT32(?), ref: 009D47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 009D45D8, 009D4706, 009D47BE
Incorrect Object type in FOR..IN loop, xrefs: 009D472C

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 23ed22c836ef62b129d4d56d411163f25820f56b3e634c3d1c7dfaa3dbdcabe6
Instruction ID: 5290cc2c41de36bd3f2af945969c35294489d4d21e4d448c361770d5438b70b0
Opcode Fuzzy Hash: 23ed22c836ef62b129d4d56d411163f25820f56b3e634c3d1c7dfaa3dbdcabe6
Instruction Fuzzy Hash: 19919071A40219ABDF20CFA5DC84FAEBBB8EF86714F10855AF515AB280D7709941CFA0

Function 009C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 009C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 009C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009C1430

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: c1d8c7ca263037a7c419c0043cea237e091d060559933bce25973f3ab260f91f
Instruction ID: 67927f61c617f5a319ec53db6b2cd129b7a6e3eb33fe3280538fc2f75da6985c
Opcode Fuzzy Hash: c1d8c7ca263037a7c419c0043cea237e091d060559933bce25973f3ab260f91f
Instruction Fuzzy Hash: B791E175E002099FEB04DF94C884FBE77B9FF86315F104029E950EB2A2D774A941CB96

Function 0096948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e4de8337751b7c4de9909f41f9b093a8f3f393cd28a987bbbc610ebbdb3bdbb4
Instruction ID: 684155e34d2b9cde473d98de0c8f58fb38ad6cf3abc8fa90887dd7ad168533cb
Opcode Fuzzy Hash: e4de8337751b7c4de9909f41f9b093a8f3f393cd28a987bbbc610ebbdb3bdbb4
Instruction Fuzzy Hash: 56912771D04219EFCB10CFA9CC85AEEBBB8FF49320F144559E916B7251D778A942CBA0

Function 009D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D396B
CharUpperBuffW.USER32(?,?), ref: 009D3A7A
_wcslen.LIBCMT ref: 009D3A8A
VariantClear.OLEAUT32(?), ref: 009D3C1F

Part of subcall function 009C0CDF: VariantInit.OLEAUT32(00000000), ref: 009C0D1F
Part of subcall function 009C0CDF: VariantCopy.OLEAUT32(?,?), ref: 009C0D28
Part of subcall function 009C0CDF: VariantClear.OLEAUT32(?), ref: 009C0D34

Strings

Incorrect Parameter format, xrefs: 009D39A6, 009D3BA1
AUTOIT.ERROR, xrefs: 009D3A80, 009D3A85

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 84a015d8dcec0bc3f1dc320a5ff8226648df6e7bb39f3d4f5e7ec353368c0c74
Instruction ID: ffe7e9f1348bcc88e552c8c291da9934f4aa3d0ad49a466f8d829421b5d02716
Opcode Fuzzy Hash: 84a015d8dcec0bc3f1dc320a5ff8226648df6e7bb39f3d4f5e7ec353368c0c74
Instruction Fuzzy Hash: 7C9157756083019FC700DF64C490A6AB7E8FF89315F14892EF8899B351DB34EE49CB92

Function 009D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 009B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?,?,009B035E), ref: 009B002B
Part of subcall function 009B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0046
Part of subcall function 009B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0054
Part of subcall function 009B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?), ref: 009B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 009D4C51
_wcslen.LIBCMT ref: 009D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 009D4DCF
CoTaskMemFree.OLE32(?), ref: 009D4DDA

Strings

NULL Pointer assignment, xrefs: 009D4E23, 009D4E52

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 703c2db57571b5a33584b7dd0fd8853cd0542bab92ba30ce1383a94f7d5f5752
Instruction ID: e63c7125bbdc76171ecde8d8df0838ff0d0566a8d750354b703f7b655d5c9d26
Opcode Fuzzy Hash: 703c2db57571b5a33584b7dd0fd8853cd0542bab92ba30ce1383a94f7d5f5752
Instruction Fuzzy Hash: 16911871D0021DEFDF10DFA5C891AEEB7B9BF48310F10856AE919AB251DB349A45CFA0

Function 009E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009E2183
GetMenuItemCount.USER32(00000000), ref: 009E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009E21DD
_wcslen.LIBCMT ref: 009E2213
GetMenuItemID.USER32(?,?), ref: 009E224D
GetSubMenu.USER32(?,?), ref: 009E225B

Part of subcall function 009B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B3A57
Part of subcall function 009B3A3D: GetCurrentThreadId.KERNEL32 ref: 009B3A5E
Part of subcall function 009B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009B25B3), ref: 009B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009E22E3

Part of subcall function 009BE97B: Sleep.KERNEL32 ref: 009BE9F3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: ade9862b3c442f27ded66270ed9c473ae771ee3355f3c998595277120e25353b
Instruction ID: 378574ff55c436333ec8c4b29be14b85515ac44e352e973cc10b4ae234fb0715
Opcode Fuzzy Hash: ade9862b3c442f27ded66270ed9c473ae771ee3355f3c998595277120e25353b
Instruction Fuzzy Hash: D571B075A04245AFCB15DF65C881AAEB7F9FF88310F108458E966EB341DB34EE01CB90

Function 009E7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F45450), ref: 009E7F37
IsWindowEnabled.USER32(00F45450), ref: 009E7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 009E801E
SendMessageW.USER32(00F45450,000000B0,?,?), ref: 009E8051
IsDlgButtonChecked.USER32(?,?), ref: 009E8089
GetWindowLongW.USER32(00F45450,000000EC), ref: 009E80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009E80C3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3396f80ca6bb90a26faa3a2aaa2a47e4e8274867204f3771ee3fa113f0af39df
Instruction ID: 5be7bc9354f90f134ced7140ed8fe922bc18673f62422bfea6d899585c5b9382
Opcode Fuzzy Hash: 3396f80ca6bb90a26faa3a2aaa2a47e4e8274867204f3771ee3fa113f0af39df
Instruction Fuzzy Hash: 93718C74608284AFEB26DFA6C884FEABBB9FF49300F144859E94597261CB31AC45DB11

Function 009BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 009BAEF9
GetKeyboardState.USER32(?), ref: 009BAF0E
SetKeyboardState.USER32(?), ref: 009BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 009BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 009BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 009BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009BB020

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e75403ac9d23569ae37684b3fab4720c8c94e44f6dc20810c1a0bb7dfd2e37a3
Instruction ID: 37b6a4912af76d87a8f8d41544398b8dfe20aabea4e133393bb53195b2f9dda4
Opcode Fuzzy Hash: e75403ac9d23569ae37684b3fab4720c8c94e44f6dc20810c1a0bb7dfd2e37a3
Instruction Fuzzy Hash: CF51D1A06187D53DFB3652348E45BFBBEAD5B06324F088489E1E9558C2C3D9ECC8D751

Function 009BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009BAD19
GetKeyboardState.USER32(?), ref: 009BAD2E
SetKeyboardState.USER32(?), ref: 009BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009BAE38

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5e702596f88195692c9a85f1a158c388468198b5358475dc723f40f2105d719e
Instruction ID: e44c24aec4c3e174c4d2cfcd705fb8bc7c1cb6b727b342a95072f8e3468bd092
Opcode Fuzzy Hash: 5e702596f88195692c9a85f1a158c388468198b5358475dc723f40f2105d719e
Instruction Fuzzy Hash: 6051F6A15087D53DFB338334CE95BFA7EAD5B86710F088588E1D54A8C2C294EC88E762

Function 0098542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00993CD6,?,?,?,?,?,?,?,?,00985BA3,?,?,00993CD6,?,?), ref: 00985470
__fassign.LIBCMT ref: 009854EB
__fassign.LIBCMT ref: 00985506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00993CD6,00000005,00000000,00000000), ref: 0098552C
WriteFile.KERNEL32(?,00993CD6,00000000,00985BA3,00000000,?,?,?,?,?,?,?,?,?,00985BA3,?), ref: 0098554B
WriteFile.KERNEL32(?,?,00000001,00985BA3,00000000,?,?,?,?,?,?,?,?,?,00985BA3,?), ref: 00985584

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 48c52e98991a094b8e7ddd9cb2c6fc6ed2657dc09d31253b658a9391f822e197
Instruction ID: de63d4344eb5464ee3664c5ac149d2d15759d1ae547ac936dddaad3b99d21233
Opcode Fuzzy Hash: 48c52e98991a094b8e7ddd9cb2c6fc6ed2657dc09d31253b658a9391f822e197
Instruction Fuzzy Hash: 7151E3B1A006499FDB10DFA8D885AEEBBF9EF08300F15451AF955E7391D7309E46CB60

Function 00972D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00972D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00972D53
_ValidateLocalCookies.LIBCMT ref: 00972DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00972E0C
_ValidateLocalCookies.LIBCMT ref: 00972E61

Strings

csm, xrefs: 00972DF6

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 417d40e0b6f7d2c0681a44ce4558b698746d310304d9a389170c66130c7df450
Instruction ID: 6c25148bc88135230222a87f6bf503c89da402f9f8b2d34268a4a0db0b419c53
Opcode Fuzzy Hash: 417d40e0b6f7d2c0681a44ce4558b698746d310304d9a389170c66130c7df450
Instruction Fuzzy Hash: D1419236E10209ABCF20DF68CC55A9EBBB9BF84324F14C155E9186B392D731EA45CB91

Function 009D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009D307A
Part of subcall function 009D304E: _wcslen.LIBCMT ref: 009D309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009D1112
WSAGetLastError.WSOCK32 ref: 009D1121
WSAGetLastError.WSOCK32 ref: 009D11C9
closesocket.WSOCK32(00000000), ref: 009D11F9

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: a2ee54a599b509fb46039bb1767325f4d81c7f1a984a0254518aeb01c136634f
Instruction ID: bdc06b311612f1f622fbc0759dd564a59427c5aced9bd8efcf9846d46427d9ca
Opcode Fuzzy Hash: a2ee54a599b509fb46039bb1767325f4d81c7f1a984a0254518aeb01c136634f
Instruction Fuzzy Hash: C541F272604204AFDB10DF64C884BAABBE9EF85324F14C05AFD559F392C774AD46CBA1

Function 009BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009BCF22,?), ref: 009BDDFD

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009BCF22,?), ref: 009BDE16

lstrcmpiW.KERNEL32(?,?), ref: 009BCF45
MoveFileW.KERNEL32(?,?), ref: 009BCF7F
_wcslen.LIBCMT ref: 009BD005
_wcslen.LIBCMT ref: 009BD01B
SHFileOperationW.SHELL32(?), ref: 009BD061

Strings

\*.*, xrefs: 009BCFF3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: bc334e2353ee631639729a671fa7dcf5873a3b31e7735d1bcf3e12919420c67a
Instruction ID: 1bfb9de91303cd17c79e8bfe900cfed4dfd8af7fbe7cb5e97b617c2d45821307
Opcode Fuzzy Hash: bc334e2353ee631639729a671fa7dcf5873a3b31e7735d1bcf3e12919420c67a
Instruction Fuzzy Hash: 4A4169B190521C9FDF12EFA4CA81BED77BDAF48390F1004E6E549EB142EB34A645CB50

Function 009E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 009E2E1C
GetWindowLongW.USER32(?,000000F0), ref: 009E2E4F
GetWindowLongW.USER32(?,000000F0), ref: 009E2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 009E2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 009E2EE0
GetWindowLongW.USER32(?,000000F0), ref: 009E2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E2F0B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2e23575fe6761fdcec62f85a948921185fbd27f7cc54a20ff128eb0169178d2a
Instruction ID: 93719378fbd2a5e2df359a7318fcf161789d8fb3606b19f3526938f3a819ef34
Opcode Fuzzy Hash: 2e23575fe6761fdcec62f85a948921185fbd27f7cc54a20ff128eb0169178d2a
Instruction Fuzzy Hash: C73108316082A19FDB22CF59DC84F6537E9FB9AB10F1501A8F9419F2B2CB71AC42DB41

Function 009B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B778F
SysAllocString.OLEAUT32(00000000), ref: 009B7792
SysAllocString.OLEAUT32(?), ref: 009B77B0
SysFreeString.OLEAUT32(?), ref: 009B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009B77DE
SysAllocString.OLEAUT32(?), ref: 009B77EC

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 161ffd4e5377d9ca0ca1f6fc6cd553c1eab9ecfe1aba6e85db2b852a5593102b
Instruction ID: af7dbb28520078fcd292debb962139c21eee2de402a9b436cc7698235a13093b
Opcode Fuzzy Hash: 161ffd4e5377d9ca0ca1f6fc6cd553c1eab9ecfe1aba6e85db2b852a5593102b
Instruction Fuzzy Hash: 8721B276608219AFDB10DFA8DDC8DFBB7ACEB493647108525F914DF1A0DA70DC428760

Function 009B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009B7868
SysAllocString.OLEAUT32(00000000), ref: 009B786B
SysAllocString.OLEAUT32 ref: 009B788C
SysFreeString.OLEAUT32 ref: 009B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 009B78AF
SysAllocString.OLEAUT32(?), ref: 009B78BD

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3d2f5f8633d23683bea6b8da3d558208e61de1da358ffe547eec1b9d137cfa48
Instruction ID: dcf304463c7a21554aaca5b76242c7a28cbf2aaa6518e69e8d2708c836c59a65
Opcode Fuzzy Hash: 3d2f5f8633d23683bea6b8da3d558208e61de1da358ffe547eec1b9d137cfa48
Instruction Fuzzy Hash: B5216072608204BFDB109FF8DDC8DAAB7ACEB497607108225F915CB2A1E674DC41DB64

Function 009C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C052E

Strings

nul, xrefs: 009C0567

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 78fe944e8967bf004578ff2bda5cb4f65035e3973ca4056ee4bec96bd47ca42d
Instruction ID: 439de64aa8f0adc464ce73b9ae404d9e33b3215d067f538f06582e60d9197bbc
Opcode Fuzzy Hash: 78fe944e8967bf004578ff2bda5cb4f65035e3973ca4056ee4bec96bd47ca42d
Instruction Fuzzy Hash: 16215CB5900345EBDF209F2AD844F9A7BA8BF84724F204A1DF8A1D62E0E770D941DF21

Function 009C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C0601

Strings

nul, xrefs: 009C0639

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d57f91f8b6f862207041a7876facde25bd7d0607cf90b27d88dfe81825b9c631
Instruction ID: a4b42d6cc85e697f7945d2164d6488aaa888b08a4160010916b729c2173ca8f8
Opcode Fuzzy Hash: d57f91f8b6f862207041a7876facde25bd7d0607cf90b27d88dfe81825b9c631
Instruction Fuzzy Hash: 9C219F75904315DBDB208F698D44F9A77A8AFC5B20F200B1DF8E1E72E0D7709861CB22

Function 009E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0095600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0095604C
Part of subcall function 0095600E: GetStockObject.GDI32(00000011), ref: 00956060
Part of subcall function 0095600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0095606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009E4145

Strings

Msctls_Progress32, xrefs: 009E40E3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: db0937063b9cdcc993ce4d6b7e7cb8d55c383893653aa776fca4bfd6445913c4
Instruction ID: 0462b037588f370c6dd602d8fd9ecf8b8a60a5c82ca05802ebaf93890f52e94b
Opcode Fuzzy Hash: db0937063b9cdcc993ce4d6b7e7cb8d55c383893653aa776fca4bfd6445913c4
Instruction Fuzzy Hash: D811B2B2150219BEEF118FA5CC85EE77FADFF18798F014120BA18A6190C676DC61DBA4

Function 0098D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0098D7A3: _free.LIBCMT ref: 0098D7CC

_free.LIBCMT ref: 0098D82D

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098D838
_free.LIBCMT ref: 0098D843
_free.LIBCMT ref: 0098D897
_free.LIBCMT ref: 0098D8A2
_free.LIBCMT ref: 0098D8AD
_free.LIBCMT ref: 0098D8B8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: fa8813a4cc63bbe74e9c3185b76627e16394399da77ad02a7f341cc7a5f88429
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1211FEB1542B04AAE621BFB0CD47FCF7BDCAF85700F404825F299A66D2DA69B5058760

Function 009BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009BDA74
LoadStringW.USER32(00000000), ref: 009BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009BDA91
LoadStringW.USER32(00000000), ref: 009BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 009BDAB9

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 58ea342d6685030d171929376133f7d5da86c3482c956eb7e6bc18c3d58821cd
Instruction ID: 46f246afd24dc2c607d56d9fae78930f40510e2b5e022a44b689a5264516be33
Opcode Fuzzy Hash: 58ea342d6685030d171929376133f7d5da86c3482c956eb7e6bc18c3d58821cd
Instruction Fuzzy Hash: 5B0186F2514348BFEB119BE09DC9EEB736CEB08701F400891B796E6041E6749E858F74

Function 009C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F3E990,00F3E990), ref: 009C097B
EnterCriticalSection.KERNEL32(00F3E970,00000000), ref: 009C098D
TerminateThread.KERNEL32(?,000001F6), ref: 009C099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009C09A9
CloseHandle.KERNEL32(?), ref: 009C09B8
InterlockedExchange.KERNEL32(00F3E990,000001F6), ref: 009C09C8
LeaveCriticalSection.KERNEL32(00F3E970), ref: 009C09CF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c76b7bbe5d8745b08ce7e951858851d9aec9428082ec3209ef26f927a6e00718
Instruction ID: 770330c43df494c77026d18826f7a2c98e12037f9ca4dc6b7896d7d6935b5809
Opcode Fuzzy Hash: c76b7bbe5d8745b08ce7e951858851d9aec9428082ec3209ef26f927a6e00718
Instruction Fuzzy Hash: FCF03171456642FBD7415F94EECCBD67B39FF41702F402015F251588A0C7749866DF90

Function 00955D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00955D30
GetWindowRect.USER32(?,?), ref: 00955D71
ScreenToClient.USER32(?,?), ref: 00955D99
GetClientRect.USER32(?,?), ref: 00955ED7
GetWindowRect.USER32(?,?), ref: 00955EF8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: abe4edc66fbfb7baa5ff0886ef98d172f979a3a41cd73c3756bc9b2d400ec5c1
Instruction ID: a30868e8427f549e9429926c7b8c2c44c74adfadb673b74d90f2c889e0717d49
Opcode Fuzzy Hash: abe4edc66fbfb7baa5ff0886ef98d172f979a3a41cd73c3756bc9b2d400ec5c1
Instruction Fuzzy Hash: 1DB19B74A0064AEBDF10CFAAC481BEEB7F5FF08311F14881AE8A9D7250D734AA45DB50

Function 009801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009800D6
__allrem.LIBCMT ref: 009800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0098010B
__allrem.LIBCMT ref: 00980122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00980140

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 633dba28df89c79a1086ce52d61b5ac06bc7fe5ff4b32272c31594fc6fa379d6
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 2781E572A007069BE720AF68CC52B6A73E9EFC1734F24853AF555DB781EB74D9048B90

Function 009D1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,009D101C,00000000,?,?,00000000), ref: 009D3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009D1DE1
WSAGetLastError.WSOCK32 ref: 009D1DF2
inet_ntoa.WSOCK32(?), ref: 009D1E8C
htons.WSOCK32(?,?,?,?,?), ref: 009D1EDB
_strlen.LIBCMT ref: 009D1F35

Part of subcall function 009B39E8: _strlen.LIBCMT ref: 009B39F2

Part of subcall function 00956D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0096CF58,?,?,?), ref: 00956DBA
Part of subcall function 00956D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0096CF58,?,?,?), ref: 00956DED

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 28da12a09074911304a8484d02127061c13e096a26155babb2f17da81031bfcc
Instruction ID: 65317a0df5227fe8d1a3d938e3342d053306cdc85ce25894513e278996782983
Opcode Fuzzy Hash: 28da12a09074911304a8484d02127061c13e096a26155babb2f17da81031bfcc
Instruction Fuzzy Hash: 0DA1AC72244340AFC324DF25C895F2A7BA9AFC4318F54894DF8565B3A2DB31ED46CB91

Function 009861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009782D9,009782D9,?,?,?,0098644F,00000001,00000001,8BE85006), ref: 00986258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0098644F,00000001,00000001,8BE85006,?,?,?), ref: 009862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009863D8
__freea.LIBCMT ref: 009863E5

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

__freea.LIBCMT ref: 009863EE
__freea.LIBCMT ref: 00986413

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c544635a6df085bf30d2c149807baf7e6597c9d610e12196c362018dd8dc0186
Instruction ID: 97fd4ebcad1c5199735d660fe269847466940b616014ab324e1db7c1c8827f9c
Opcode Fuzzy Hash: c544635a6df085bf30d2c149807baf7e6597c9d610e12196c362018dd8dc0186
Instruction Fuzzy Hash: CA51B072600216ABEB25AF64DC81FBF77AAEB84750F15466AFC05DB250EB34DC40D760

Function 009DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009DBD25
RegCloseKey.ADVAPI32(00000000), ref: 009DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009DBDF3
RegCloseKey.ADVAPI32(?), ref: 009DBDFF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f0462434377a4f4768159490bb4f3c78825c01bda9eb5a40949b1381590f10e7
Instruction ID: 4d9e097af205aa92b37638123056979aeebb7badb9af54ca45d6b057ec39bf03
Opcode Fuzzy Hash: f0462434377a4f4768159490bb4f3c78825c01bda9eb5a40949b1381590f10e7
Instruction Fuzzy Hash: 1F81A070218241EFD714DF24C891E2ABBE9FF84308F15895DF5998B2A2DB31ED45CB92

Function 009AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 009AF7B9
SysAllocString.OLEAUT32(00000001), ref: 009AF860
VariantCopy.OLEAUT32(009AFA64,00000000), ref: 009AF889
VariantClear.OLEAUT32(009AFA64), ref: 009AF8AD
VariantCopy.OLEAUT32(009AFA64,00000000), ref: 009AF8B1
VariantClear.OLEAUT32(?), ref: 009AF8BB

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 5b13054a1a97eacca00d7968b7efaa525bf85da7deb8d993660b3ca721375e8b
Instruction ID: 754ed443cbc41a993e860be31c2f34ae63932ded98f00126f4974a9e503426dc
Opcode Fuzzy Hash: 5b13054a1a97eacca00d7968b7efaa525bf85da7deb8d993660b3ca721375e8b
Instruction Fuzzy Hash: C051D935510310BADF14ABA5D8B5B2AB3A8EFC6310F244866F906DF291EB749C41C7D6

Function 009C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009C94E5
_wcslen.LIBCMT ref: 009C9506
_wcslen.LIBCMT ref: 009C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 009C9585

Strings

X, xrefs: 009C9412

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 12ce928a10957b3a3fc9c22812f0fe2eab8e5bfd276a9ddf0dc4e15dc28d6a15
Instruction ID: 1ef927eec40fb3b456174d7c7e28bc2cade0286f903bf49f2483a63fbaaf8a07
Opcode Fuzzy Hash: 12ce928a10957b3a3fc9c22812f0fe2eab8e5bfd276a9ddf0dc4e15dc28d6a15
Instruction Fuzzy Hash: 3AE17B31A083518FD724DF25C885F6AB7E4BF85314F04896DF8999B2A2EB31DD05CB92

Function 0096920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

BeginPaint.USER32(?,?,?), ref: 00969241
GetWindowRect.USER32(?,?), ref: 009692A5
ScreenToClient.USER32(?,?), ref: 009692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009692D3
EndPaint.USER32(?,?,?,?,?), ref: 00969321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009A71EA

Part of subcall function 00969339: BeginPath.GDI32(00000000), ref: 00969357

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 65735abfd563a84bf7d2a1d8d713e8041d2af6dfc018c6bee4bf58e07124ad1f
Instruction ID: 12aef1d06a6f47335814ffbd95f224153b979a360715d4857ddd9d00d79178b6
Opcode Fuzzy Hash: 65735abfd563a84bf7d2a1d8d713e8041d2af6dfc018c6bee4bf58e07124ad1f
Instruction Fuzzy Hash: 9141AD70108341AFD721DF68CCD5FBA7BECEB96720F040629F9A48B2A1C7319846DB61

Function 009C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 009C0847
EnterCriticalSection.KERNEL32(?), ref: 009C0863
LeaveCriticalSection.KERNEL32(?), ref: 009C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 009C0921

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 43fbf9fa1c6e4f6251bf7617dfab20b33aaa66fc27d68431205c876f27944383
Instruction ID: 2181b24c5e8a6528d7c7e1ac18b22758e9b2da5903e8675cd9463c8679dfb3c8
Opcode Fuzzy Hash: 43fbf9fa1c6e4f6251bf7617dfab20b33aaa66fc27d68431205c876f27944383
Instruction Fuzzy Hash: 37415972900205EBDF159F54DC85BAA7B78FF84300F1480A9ED049E297D731DE61DBA0

Function 009E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,009AF3AB,00000000,?,?,00000000,?,009A682C,00000004,00000000,00000000), ref: 009E824C
EnableWindow.USER32(?,00000000), ref: 009E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009E82D1
ShowWindow.USER32(?,00000004), ref: 009E82E5
EnableWindow.USER32(?,00000001), ref: 009E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009E832F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1f8cf8795ca2ca1d55185360da656ffaabb8cd43e13c6c9abf5d5de785348bd9
Instruction ID: 19ddb91da0d09704715f6b9fdbe5199e6023615d15c4976b4aedd7665b1460e6
Opcode Fuzzy Hash: 1f8cf8795ca2ca1d55185360da656ffaabb8cd43e13c6c9abf5d5de785348bd9
Instruction Fuzzy Hash: C941C730601684EFDB26CF96C895BE57BE4FB0A754F185169E61C5F362CB32AC42CB50

Function 009B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009B4CEA
_wcslen.LIBCMT ref: 009B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009B4D10
_wcsstr.LIBVCRUNTIME ref: 009B4D1A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: c64c2a9a0cf12bfbbda0fa6137325d7a446f0d763cca12d06b0e607246e5c53e
Instruction ID: 8ede2469cbbc5cbe6a389b9b4435a1f4eb221f3b20144c80ea85fa83fc8377dc
Opcode Fuzzy Hash: c64c2a9a0cf12bfbbda0fa6137325d7a446f0d763cca12d06b0e607246e5c53e
Instruction Fuzzy Hash: 5E21F972604241BBEB155B39ED49FBB7FACDF85B60F10802DF849CE193DA65DC01A6A0

Function 009C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00953AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00953A97,?,?,00952E7F,?,?,?,00000000), ref: 00953AC2

_wcslen.LIBCMT ref: 009C587B
CoInitialize.OLE32(00000000), ref: 009C5995
CoCreateInstance.OLE32(009EFCF8,00000000,00000001,009EFB68,?), ref: 009C59AE
CoUninitialize.OLE32 ref: 009C59CC

Strings

.lnk, xrefs: 009C5876, 009C58C1, 009C5985

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 8390c88b71769d1d4e76ea35a67d1e2ba03ed7645dc771405bc5e17e51b06eb4
Instruction ID: 848f5eaca17f844b1f0eec87de107249fd3ee3ecb36ec27fa37e076d95777d0d
Opcode Fuzzy Hash: 8390c88b71769d1d4e76ea35a67d1e2ba03ed7645dc771405bc5e17e51b06eb4
Instruction Fuzzy Hash: F2D16371A087019FC704DF25C480E2ABBE5EF89714F15899DF88A9B361DB31ED85CB92

Function 009B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B0FCA
Part of subcall function 009B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B0FD6
Part of subcall function 009B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B0FE5
Part of subcall function 009B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B0FEC
Part of subcall function 009B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B1002

GetLengthSid.ADVAPI32(?,00000000,009B1335), ref: 009B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009B17BA
HeapAlloc.KERNEL32(00000000), ref: 009B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009B17DA
GetProcessHeap.KERNEL32(00000000,00000000,009B1335), ref: 009B17EE
HeapFree.KERNEL32(00000000), ref: 009B17F5

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 75d9fcd4cf8751feae08bec54c18f4f7d6880691f966e071478a692ef4133015
Instruction ID: ee878ca8ff158f289814f5023f7ac2a96842bbf56e916cfe5910b945c9b5a749
Opcode Fuzzy Hash: 75d9fcd4cf8751feae08bec54c18f4f7d6880691f966e071478a692ef4133015
Instruction Fuzzy Hash: D611AC72614205FFDB109FA4CD99BEE7BADEB42365F504018F8819B210CB35AD41DB60

Function 009B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 009B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009B1515
CloseHandle.KERNEL32(00000004), ref: 009B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 009B1563

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e28b9aaf347816c8321d6812ce9485c2dd97b513817e6d3d218f6e43e38d0b6e
Instruction ID: 71a53b65e416cb028f12e94bbd33faa3f599fdbeabb1ed01b469b176ba5c7fa7
Opcode Fuzzy Hash: e28b9aaf347816c8321d6812ce9485c2dd97b513817e6d3d218f6e43e38d0b6e
Instruction Fuzzy Hash: 8A1129B2604249EBDF11CF98DE49BDE7BADEF48754F044025FA45A6060C3768E61EB60

Function 00973382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00973379,00972FE5), ref: 00973390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0097339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009733B7
SetLastError.KERNEL32(00000000,?,00973379,00972FE5), ref: 00973409

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0b00d3cf04ebd5b0b2b6e49b4cc4c21b40cd1d5d35f301c4ce4b1622dcdb5cad
Instruction ID: af5b2c6f02874494aa89b34242f9061edad3bce5f9f134dfd27ca895ec70b9b9
Opcode Fuzzy Hash: 0b00d3cf04ebd5b0b2b6e49b4cc4c21b40cd1d5d35f301c4ce4b1622dcdb5cad
Instruction Fuzzy Hash: 97012433248711BEE62567B47C86AA72A9DEB49779330C229F418842F1FF114D027244

Function 00982D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00985686,00993CD6,?,00000000,?,00985B6A,?,?,?,?,?,0097E6D1,?,00A18A48), ref: 00982D78
_free.LIBCMT ref: 00982DAB
_free.LIBCMT ref: 00982DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0097E6D1,?,00A18A48,00000010,00954F4A,?,?,00000000,00993CD6), ref: 00982DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0097E6D1,?,00A18A48,00000010,00954F4A,?,?,00000000,00993CD6), ref: 00982DEC
_abort.LIBCMT ref: 00982DF2

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 81a469b0784a54e581f546c0404c665d7792857e503d654bd90a0bfa459f2346
Instruction ID: 109817bfc6067db49afa396e5161870021f15b0f48afff4d9df2164f95bd85ac
Opcode Fuzzy Hash: 81a469b0784a54e581f546c0404c665d7792857e503d654bd90a0bfa459f2346
Instruction Fuzzy Hash: B3F0C87654960137C6127778BC06F5B2A5DAFC27B1F254518F825D73D2EF28DC025360

Function 009E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00969639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00969693
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696A2
Part of subcall function 00969639: BeginPath.GDI32(?), ref: 009696B9
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 009E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 009E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 009E8A70
LineTo.GDI32(?,00000000,00000003), ref: 009E8A80
EndPath.GDI32(?), ref: 009E8A90
StrokePath.GDI32(?), ref: 009E8AA0

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d3a6d0be53776330014672ff86958b1a070907faa216fe835e2a64813f460cdd
Instruction ID: a4c4a55735cf9a76e25d8d6eb64e1e541f6492d58d20d6fe646918bfb3b35588
Opcode Fuzzy Hash: d3a6d0be53776330014672ff86958b1a070907faa216fe835e2a64813f460cdd
Instruction Fuzzy Hash: 94111E7600414CFFDF129F94DC88EAA7F6CEB04355F008021FA599A161C7719D56DF60

Function 009B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 009B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009B5230
ReleaseDC.USER32(00000000,00000000), ref: 009B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 009B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 009B5261

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0216d2d3dcb744ac48ebe5b2bc454bc3ed2a0ae77d17631e63f62782c82cee2f
Instruction ID: 70f77da14c7ef279cc17beb844388c7ccc99cc3639d726c8b3ad98ec6e28ffb3
Opcode Fuzzy Hash: 0216d2d3dcb744ac48ebe5b2bc454bc3ed2a0ae77d17631e63f62782c82cee2f
Instruction Fuzzy Hash: 6E018FB5A05709BBEF109BE59C89B4EBFB8EB88751F044065FA04AB281D6709C01DBA0

Function 00951BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00951BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00951BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00951C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00951C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00951C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00951C22

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2d81dc2deb03db841c871f1197c86a255fa93e8517f14873a658b7fcb8a811dc
Instruction ID: d1266caf9e0bc77130e509beeac0e653762a08c67d65adc68201d6c676a3738d
Opcode Fuzzy Hash: 2d81dc2deb03db841c871f1197c86a255fa93e8517f14873a658b7fcb8a811dc
Instruction Fuzzy Hash: E50144B0902B5ABDE3008F6A8C85A52FFA8FF19754F00411BA15C4BA42C7B5A864CBE5

Function 009BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 009BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009BEB75

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3e08248f076385a5e5755752b7212c11ef9bb64b651849de926e1544aeb46e2f
Instruction ID: ecb2f0ad360f0b0f4aeab63418c0dacb31edab8d058e2457c5ace89057803a5d
Opcode Fuzzy Hash: 3e08248f076385a5e5755752b7212c11ef9bb64b651849de926e1544aeb46e2f
Instruction Fuzzy Hash: 21F030B2154199BBE72157529C4DEEF3A7CEFCAF11F000158FA41D5091D7A05E02D6B5

Function 009A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 009A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 009A7469
GetWindowDC.USER32(?), ref: 009A7475
GetPixel.GDI32(00000000,?,?), ref: 009A7484
ReleaseDC.USER32(?,00000000), ref: 009A7496
GetSysColor.USER32(00000005), ref: 009A74B0

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: ced80e3dfc35c4f21aee98961186d16639a5114211a1018867b203ab094456ad
Instruction ID: 4d842d7c27a6d162d9636c4fcfb3a301b56db589db45ffb53a38e7f2f70784ba
Opcode Fuzzy Hash: ced80e3dfc35c4f21aee98961186d16639a5114211a1018867b203ab094456ad
Instruction Fuzzy Hash: D6018B71418255FFDB509FA4DC49BAABBB6FB08311F100064F966A60B1CB311E42AB50

Function 009B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009B187F
UnloadUserProfile.USERENV(?,?), ref: 009B188B
CloseHandle.KERNEL32(?), ref: 009B1894
CloseHandle.KERNEL32(?), ref: 009B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009B18A5
HeapFree.KERNEL32(00000000), ref: 009B18AC

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6660ad93cf14820df4a919cdeaf17aa83d6525dac35a9feca2bb41f92319c0ac
Instruction ID: 859f4c4b9e602df8f6797edcf4f95db82bafd9bca6b699148d5e20feafe8fa52
Opcode Fuzzy Hash: 6660ad93cf14820df4a919cdeaf17aa83d6525dac35a9feca2bb41f92319c0ac
Instruction Fuzzy Hash: B2E01AB601C241BFDB015FA1ED4CD0ABF39FF4AB22B108220F66589070CB329822EF50

Function 009BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009BC6EE
_wcslen.LIBCMT ref: 009BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009BC7CA

Strings

0, xrefs: 009BC6AF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: be303b3097d5d65557e14bd5208a6ce9217b2405443a670b87c8f2bc5ab31d5b
Instruction ID: 1f0804d23046e713bf616f68b01e44121d3da28ed4f7286363ae0c9e237b8e7a
Opcode Fuzzy Hash: be303b3097d5d65557e14bd5208a6ce9217b2405443a670b87c8f2bc5ab31d5b
Instruction Fuzzy Hash: 7051D0F16183019BD714DF28CA95BAB77E8AF89320F040A2DF995E31A0DB74DD04CB52

Function 009DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 009DAEA3

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

GetProcessId.KERNEL32(00000000), ref: 009DAF38
CloseHandle.KERNEL32(00000000), ref: 009DAF67

Strings

<, xrefs: 009DAE6B
@, xrefs: 009DAE72

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 6a0f18380b3e88da6710cccaee4e5352b1f8c08164b5477ee01d61bb8bb531dc
Instruction ID: 227ac1ec3d2e3a2ee37912624736fef153703f959cab6925290baed33196e499
Opcode Fuzzy Hash: 6a0f18380b3e88da6710cccaee4e5352b1f8c08164b5477ee01d61bb8bb531dc
Instruction Fuzzy Hash: 14718A71A00219DFCB14DF95D484A9EBBF4FF48310F04849AE856AB3A2D774EE45CBA1

Function 009B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009B72CF

Strings

DllGetClassObject, xrefs: 009B7242

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5cb8cfc29f3f080da3e44a1c78c00a18ce5d34b6d3b10f18787683abae2c85ff
Instruction ID: 377bb322911d7c7b374c5cb36f6716366d1cec2aa64d56aa7b4755d9f6b8f230
Opcode Fuzzy Hash: 5cb8cfc29f3f080da3e44a1c78c00a18ce5d34b6d3b10f18787683abae2c85ff
Instruction Fuzzy Hash: 974171B1A04204EFDB15CF94C984ADABBA9EF84320F1485ADBD159F20AD7B0DD45CBA0

Function 009E3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E3E35
IsMenu.USER32(?), ref: 009E3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E3E92
DrawMenuBar.USER32 ref: 009E3EA5

Strings

0, xrefs: 009E3D89

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b7e0367bbf3ab2e8f31bb809ecdaa64d4da5273d1b97cc73fdadd51bace19027
Instruction ID: 717b494924d3bfd2f8e47bf13edfc5ad6663a7589c48a0e814795102994ed991
Opcode Fuzzy Hash: b7e0367bbf3ab2e8f31bb809ecdaa64d4da5273d1b97cc73fdadd51bace19027
Instruction Fuzzy Hash: 4E417775A10249AFDB25DF61D888AAABBB9FF48350F048129F805AB250C730AE41CF50

Function 009B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009B1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009B1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 009B1EA9

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Strings

ComboBox, xrefs: 009B1DF0
ListBox, xrefs: 009B1E25

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 2f6f410e2600d4635a194f83860c33442611c3bdf4742c652d31c28c29ba291e
Instruction ID: 375eb6114bad3f9b4cad3708f1b9a119b6f2657c6fc09a8280247882c6ba7ccd
Opcode Fuzzy Hash: 2f6f410e2600d4635a194f83860c33442611c3bdf4742c652d31c28c29ba291e
Instruction Fuzzy Hash: 85217771A00104BEDB04ABA1DD96DFFBBBCEF81360B504419FC65A71E1DB388D0A8720

Function 009DC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009DC9F1
_wcslen.LIBCMT ref: 009DCA68
_wcslen.LIBCMT ref: 009DCA9E
_wcslen.LIBCMT ref: 009DCAF9
_wcslen.LIBCMT ref: 009DCB2F
_wcslen.LIBCMT ref: 009DCB7F

Strings

HKLM, xrefs: 009DCA98, 009DCA9D
HKEY_LOCAL_MACHINE, xrefs: 009DCA62, 009DCA67

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: e07426eb2afef287d5ae35083112c596815803d2bd8521882e04129bc823cb0e
Instruction ID: fe64dfa1230dd19cb96d85b64fdd2b3c80189cd5d2f70065dd7573db820dfea0
Opcode Fuzzy Hash: e07426eb2afef287d5ae35083112c596815803d2bd8521882e04129bc823cb0e
Instruction Fuzzy Hash: 2931F8B3A8016B8BCB20DF6CC9401BE33A95BA1790B15C42BFC55AF345EA71CD85D3A0

Function 009E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009E2F8D
LoadLibraryW.KERNEL32(?), ref: 009E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009E2FA9
DestroyWindow.USER32(?), ref: 009E2FB1

Strings

SysAnimate32, xrefs: 009E2F68

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 1404807aee170ab75bd9942c72347c384a596e3511a9858bbec2e3797ac05e9a
Instruction ID: e8412e8f104b0dc6030e5674b27c5e9ff1c2f1db4a0536b76c734d2737b8a299
Opcode Fuzzy Hash: 1404807aee170ab75bd9942c72347c384a596e3511a9858bbec2e3797ac05e9a
Instruction Fuzzy Hash: 0821C072604285ABEB124F66DC81FBB37BDFB59364F100A28F950D6190D771DC519760

Function 00974D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00974D1E,009828E9,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002), ref: 00974D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00974DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00974D1E,009828E9,?,00974CBE,009828E9,00A188B8,0000000C,00974E15,009828E9,00000002,00000000), ref: 00974DC3

Strings

mscoree.dll, xrefs: 00974D86
CorExitProcess, xrefs: 00974D98

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6d8b8cb742dcc3cf26fb2a67a29c6df123e158968f318e2cae7b08567dc0a39e
Instruction ID: de233ef61719d30299ce8c582abfb56da8342175d5b54c869373c3e3abbd5a0a
Opcode Fuzzy Hash: 6d8b8cb742dcc3cf26fb2a67a29c6df123e158968f318e2cae7b08567dc0a39e
Instruction Fuzzy Hash: ECF06275A54308BBDB119F90DC49BEDBFB9EF84752F0040A8F949A62A1DB30AD41DB90

Function 00954E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00954EAE
FreeLibrary.KERNEL32(00000000,?,?,00954EDD,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954EC0

Strings

kernel32.dll, xrefs: 00954E94
Wow64DisableWow64FsRedirection, xrefs: 00954EA8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: be2212f92a267e9a66127e02551b50c682b27c71d4a7a843b40949c3357c451e
Instruction ID: 6dbc4feb8a200a014b8157f21597533f174d4d7895dbcbdedda13492c4542f71
Opcode Fuzzy Hash: be2212f92a267e9a66127e02551b50c682b27c71d4a7a843b40949c3357c451e
Instruction Fuzzy Hash: 11E0CD76E196225FD3725B266C1DB5F655CAFC2F677050115FC40D7100DB60CD4B91A0

Function 00954E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00954E74
FreeLibrary.KERNEL32(00000000,?,?,00993CDE,?,00A21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00954E87

Strings

kernel32.dll, xrefs: 00954E5B
Wow64RevertWow64FsRedirection, xrefs: 00954E6E

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 025f50d6a0fb54c43a4f691e0b31e1de92e023fe04c537d2c00ad73c9d75bdbf
Instruction ID: cd5fc089894a196fe3a339bacb3f7e9a4cdb3ac452ec2f29d906931b0672da87
Opcode Fuzzy Hash: 025f50d6a0fb54c43a4f691e0b31e1de92e023fe04c537d2c00ad73c9d75bdbf
Instruction Fuzzy Hash: 95D0C23291A6616B4A621B267C09D8B2A1CAF81F2A3050514BC41A6110CF20CD4AD2D1

Function 009C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C2C05
DeleteFileW.KERNEL32(?), ref: 009C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C2CC0

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a5d92eb3ed21a6f1606170a78aadd05fc5565adefa1f97724cb1d6a6844d1853
Instruction ID: 0ac09d4ae798fa6b43d21e195fcd1382e5989fe8fe2ef60d353e542a16748285
Opcode Fuzzy Hash: a5d92eb3ed21a6f1606170a78aadd05fc5565adefa1f97724cb1d6a6844d1853
Instruction Fuzzy Hash: 18B13D72D01119ABDF11DBA4CC85FDEBB7DEF89350F1040AAFA09E6181EA309E448F61

Function 009DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 009DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009DA468
CloseHandle.KERNEL32(?), ref: 009DA63D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 66a12a3d26431f9ef60d1303d00f8ec873faff9986650931da8e0b0f5599e4a3
Instruction ID: 857a90c2d26fa639759dc059d3708daa7f8ba1fc90b3a6af05eac08582294eb1
Opcode Fuzzy Hash: 66a12a3d26431f9ef60d1303d00f8ec873faff9986650931da8e0b0f5599e4a3
Instruction Fuzzy Hash: 06A1AFB16043009FD720DF25D886F2AB7E5AF84714F14885DF99A9B392DBB0EC45CB82

Function 009BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009BCF22,?), ref: 009BDDFD

Part of subcall function 009BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009BCF22,?), ref: 009BDE16

Part of subcall function 009BE199: GetFileAttributesW.KERNEL32(?,009BCF95), ref: 009BE19A

lstrcmpiW.KERNEL32(?,?), ref: 009BE473
MoveFileW.KERNEL32(?,?), ref: 009BE4AC
_wcslen.LIBCMT ref: 009BE5EB
_wcslen.LIBCMT ref: 009BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 009BE650

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 69813f56267c0b48f33b95887b9e41cb0517b7647fe34d3e0b6cdcfed624ef61
Instruction ID: 800d3c690db677b67066aeb1af3cd38321d3b2539bfe5016638e423dfed3487c
Opcode Fuzzy Hash: 69813f56267c0b48f33b95887b9e41cb0517b7647fe34d3e0b6cdcfed624ef61
Instruction Fuzzy Hash: 0B5172B24083859BD724DBA4D881ADB73EDAFC4350F00492EF689D3191EF74A68C8766

Function 009DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DB6AE,?,?), ref: 009DC9B5
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DC9F1
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA68
Part of subcall function 009DC998: _wcslen.LIBCMT ref: 009DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009DBB63
RegCloseKey.ADVAPI32(?,?), ref: 009DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 009DBBB3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 268e913065e23d539d8c44871f6f5e61bf310dae7dc5c240d653036dbd5249fe
Instruction ID: 8efe4e5d6d593f75bb6cf27340d4b3d90fd09c6f71f9a6547657751cf6786fde
Opcode Fuzzy Hash: 268e913065e23d539d8c44871f6f5e61bf310dae7dc5c240d653036dbd5249fe
Instruction Fuzzy Hash: 1661AD71208241EFD714DF14C490E2ABBE9FF84308F55895EF4998B2A2DB35ED46CB92

Function 009B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009B8BCD
VariantClear.OLEAUT32 ref: 009B8C3E
VariantClear.OLEAUT32 ref: 009B8C9D
VariantClear.OLEAUT32(?), ref: 009B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009B8D3B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a621c28d63fd94a5d562bed244e828532d5769f88a6f1a266cfa8584180fd3a8
Instruction ID: 9068806f475d322d1b7631621551949dee93f453217d267a5029cc4913b65354
Opcode Fuzzy Hash: a621c28d63fd94a5d562bed244e828532d5769f88a6f1a266cfa8584180fd3a8
Instruction Fuzzy Hash: E4516AB5A10219EFCB10CF68C894AAAB7F9FF8D310B15855AE949DB350E730E911CF90

Function 009C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 009C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009C8C5F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 275e432d64a44c130b9fc73fdc014407559438b2f0799f5ba790148e2230534c
Instruction ID: 830da4ee1dfe8c13bc00d61f5f3a6cf175399bdaef2bb0096550af3b143c9ed8
Opcode Fuzzy Hash: 275e432d64a44c130b9fc73fdc014407559438b2f0799f5ba790148e2230534c
Instruction Fuzzy Hash: 78516A75A00214AFCB05DF65C880E6EBBF5FF88314F088458E849AB362DB31ED56CB91

Function 009D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 009D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 009D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 009D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 009D9032
FreeLibrary.KERNEL32(00000000), ref: 009D9052

Part of subcall function 0096F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,009C1043,?,753CE610), ref: 0096F6E6
Part of subcall function 0096F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,009AFA64,00000000,00000000,?,?,009C1043,?,753CE610,?,009AFA64), ref: 0096F70D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f8f4836f84d71ab2ae9cb506d5dfa8408ac7848a5f8ed4f24179a8c8eec9710a
Instruction ID: 060d274c6b59b82fc3abef47aec04c8286047aa9914f387ea8f0a635afb0a84f
Opcode Fuzzy Hash: f8f4836f84d71ab2ae9cb506d5dfa8408ac7848a5f8ed4f24179a8c8eec9710a
Instruction Fuzzy Hash: 06516C34604205DFC705EF68C4949ADBBF5FF89314B04C0A9E80A9B362DB31ED8ACB90

Function 009E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 009E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 009E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 009E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,009CAB79,00000000,00000000), ref: 009E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 009E6CC7

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 34f4bd17510f6e2cef2f16e1a1548a9badf201afb6c9e24cdc8433fae71f55c7
Instruction ID: 23a0ce3622a25c98507e393d63187ba7f4c45f4bfbe6501a76e6e16e206edba1
Opcode Fuzzy Hash: 34f4bd17510f6e2cef2f16e1a1548a9badf201afb6c9e24cdc8433fae71f55c7
Instruction Fuzzy Hash: 4141E635A04184AFD726CF6ACC95FB57BA9EB19390F240628FED5A72E0C371AD41DA40

Function 00982051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009820C3
_free.LIBCMT ref: 009820E3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a5d8309b955d17ca76c6d9459d2b673a10c455daa5bc84442662bbbd46212ba7
Instruction ID: 7f06820ce8a0c8ecdf195aaa98c58ac9ca126ac3c6b0b9fdf5e851e8ff7f5904
Opcode Fuzzy Hash: a5d8309b955d17ca76c6d9459d2b673a10c455daa5bc84442662bbbd46212ba7
Instruction Fuzzy Hash: 0A41F672A002009FCB24EF78C885A5DB7F5EF89314F258569E515EB392D731ED01CB80

Function 0096912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00969141
ScreenToClient.USER32(00000000,?), ref: 0096915E
GetAsyncKeyState.USER32(00000001), ref: 00969183
GetAsyncKeyState.USER32(00000002), ref: 0096919D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 73665da747a09d9513db2b427302e1d03da00415da60a0a8713c1e2d2e00f27d
Instruction ID: 22d79e8636dc816252bbd6e9802c50458d806b61bb2dfd7478758516ca45cd42
Opcode Fuzzy Hash: 73665da747a09d9513db2b427302e1d03da00415da60a0a8713c1e2d2e00f27d
Instruction Fuzzy Hash: D1417F71A0C60AFBDF059FA8C844BEEF7B8FB46320F208615E465A7290C7346D54DB91

Function 009C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 009C3922
TranslateMessage.USER32(?), ref: 009C394B
DispatchMessageW.USER32(?), ref: 009C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009C3966

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: a41423d4cad1daff0daeeb5dbc42942b61571d163c9e4b73e550354c5898440b
Instruction ID: 9d8eab7f5455eb7a23c5e2e32facf0c3fe1a53bf99d4e812bc26d6c318a2f0ff
Opcode Fuzzy Hash: a41423d4cad1daff0daeeb5dbc42942b61571d163c9e4b73e550354c5898440b
Instruction Fuzzy Hash: 52319770D08382DFEB35CB799848FB637ACAB15304F04C57DE452961A0E7B59A86DB13

Function 009CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,009CC21E,00000000), ref: 009CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 009CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,009CC21E,00000000), ref: 009CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,009CC21E,00000000), ref: 009CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,009CC21E,00000000), ref: 009CCFF2

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: bd0b257c6ccd3a8afc57e90abf6857b4607a179154c920a0b4654921a2ca8632
Instruction ID: 7c81a07f1a47cea87859abb6f52f5e842be5810dabcc569790ffb6efa80ad853
Opcode Fuzzy Hash: bd0b257c6ccd3a8afc57e90abf6857b4607a179154c920a0b4654921a2ca8632
Instruction Fuzzy Hash: 743147B1A04205AFDB20DFA5D884FAABFFEEB14351B10442EF55AD6241DB30EE419B61

Function 009B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009B19E2

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 0efc7c65c23ee538380fb460c5ce249088f822f9345a40d57596f053b75c1372
Instruction ID: de6f979d617bf279fecd6f408893d3ab0efb739dd06e52f8a2997f4b59782837
Opcode Fuzzy Hash: 0efc7c65c23ee538380fb460c5ce249088f822f9345a40d57596f053b75c1372
Instruction Fuzzy Hash: 4631D171A00259EFCB04CFA8DEA9ADE3BB5EB45325F104229F961EB2D1C7709D44DB90

Function 009E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 009E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 009E579D
_wcslen.LIBCMT ref: 009E57AF
_wcslen.LIBCMT ref: 009E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E5816

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9a09c93ba756f415d1f148cd4c29767aefa75522e9e93b34931e58e9d7c2716f
Instruction ID: a69fbb205450a3ae857644aa4362fbebb4aa1a6576e20cc4e22c6508ea7bb263
Opcode Fuzzy Hash: 9a09c93ba756f415d1f148cd4c29767aefa75522e9e93b34931e58e9d7c2716f
Instruction Fuzzy Hash: D321D571904698DADB219FA2CC84AEE77BCFF40728F108216E919EB1C1E7708D81CF50

Function 009D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009D0951
GetForegroundWindow.USER32 ref: 009D0968
GetDC.USER32(00000000), ref: 009D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 009D09B0
ReleaseDC.USER32(00000000,00000003), ref: 009D09E8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4ff9f2403d9d596fa785c4b9dd808543ec99e7b87acb1435266cddcf6c630879
Instruction ID: 32d2dfb84e163566aafcc2d17fddb3b82241a851c6166d08d495cb8ac1fbae48
Opcode Fuzzy Hash: 4ff9f2403d9d596fa785c4b9dd808543ec99e7b87acb1435266cddcf6c630879
Instruction Fuzzy Hash: 7D21A475A00204AFD704EF65D884B5EB7E5EF84740F00842DF886D7352DB30AC05DB50

Function 0098CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0098CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0098CDE9

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0098CE0F
_free.LIBCMT ref: 0098CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0098CE31

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 646e21524295e8951c2fe286ff1c7fca8b0242a73cf1797756026484c068ca64
Instruction ID: 63b3b1dfd7c2f8675832e932454fb5348285cdfe484b22493e836da078c3f33b
Opcode Fuzzy Hash: 646e21524295e8951c2fe286ff1c7fca8b0242a73cf1797756026484c068ca64
Instruction Fuzzy Hash: 2301F7F26052557FA32136B66C8CD7B7A6DEFC6BA13154129FD05C7302EA718D0293B0

Function 00969639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00969693
SelectObject.GDI32(?,00000000), ref: 009696A2
BeginPath.GDI32(?), ref: 009696B9
SelectObject.GDI32(?,00000000), ref: 009696E2

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5fadd54578c344cc01f196d10c68e39577c6dbff354c07bc82d5b9426af69ab1
Instruction ID: ffaa632bb975c0ef5f67db03a22237f45f1a7ab8c8296ffea9b388cd6c304d1f
Opcode Fuzzy Hash: 5fadd54578c344cc01f196d10c68e39577c6dbff354c07bc82d5b9426af69ab1
Instruction Fuzzy Hash: 9F2180B0816345EBDF21DFA8EC497B97BACBB61355F100226F420A61B0D3705893DF90

Function 009B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 009B5726
_memcmp.LIBVCRUNTIME ref: 009B5744
_memcmp.LIBVCRUNTIME ref: 009B5757
_memcmp.LIBVCRUNTIME ref: 009B576F
_memcmp.LIBVCRUNTIME ref: 009B5787

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7c3b46483999486ec9e1d9a6c8d356633bd975434a79c0b38ac6b09eae0db9c2
Instruction ID: a947b80bbebeec159fed2ea8ac0aeaa337f82ac48bce20c324a72657327932c2
Opcode Fuzzy Hash: 7c3b46483999486ec9e1d9a6c8d356633bd975434a79c0b38ac6b09eae0db9c2
Instruction Fuzzy Hash: B401B572741609BBE20955159FD2FFB735C9BA13BCF254021FD0C9A241FB60EE1182A0

Function 0096990E Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009698CC
SetTextColor.GDI32(?,?), ref: 009698D6
SetBkMode.GDI32(?,00000001), ref: 009698E9
GetStockObject.GDI32(00000005), ref: 009698F1
GetWindowLongW.USER32(?,000000EB), ref: 00969952

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 9986395efb0f7ced439f67a94e6e0bdf0be23390c8387c2126dffe4df5616b6f
Instruction ID: afe55ad672d3fe431c6af845ae73b2b943955d58c4012ff7725fee7006c33162
Opcode Fuzzy Hash: 9986395efb0f7ced439f67a94e6e0bdf0be23390c8387c2126dffe4df5616b6f
Instruction Fuzzy Hash: CA1138316492509BC7218B74EC99AFA3B6CEB56335F08021DF1E24E1E1CB310C82DB50

Function 00982DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0097F2DE,00983863,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6), ref: 00982DFD
_free.LIBCMT ref: 00982E32
_free.LIBCMT ref: 00982E59
SetLastError.KERNEL32(00000000,00951129), ref: 00982E66
SetLastError.KERNEL32(00000000,00951129), ref: 00982E6F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 40ed95061e8bfaf40be0c3b1311451838ef70dfa03c4ca7e537e5634282c55b2
Instruction ID: ccf26208bd827aaaabef631b40ea65a56dfc45b58f849986375870ced529adc4
Opcode Fuzzy Hash: 40ed95061e8bfaf40be0c3b1311451838ef70dfa03c4ca7e537e5634282c55b2
Instruction Fuzzy Hash: 290128722456007BC61277786C89E6B265DAFC17B1B218538F865E33D3EF38CC025324

Function 009B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?,?,009B035E), ref: 009B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?), ref: 009B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009AFF41,80070057,?,?), ref: 009B0070

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: fa63ba14cf84da2947fac34bcf922a4525fdc5c78aaeb56f0637bdf84b0198f7
Instruction ID: 21a35fbe64f393b6c83654f259b74fb2bbce1767a18bb158a400d5b85f256eff
Opcode Fuzzy Hash: fa63ba14cf84da2947fac34bcf922a4525fdc5c78aaeb56f0637bdf84b0198f7
Instruction Fuzzy Hash: 4701F2B2614208BFDB115F68DE44BEB7AEDEF843A1F104024F845D6210D770CD00DBA0

Function 009BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 009BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 009BE9A5
Sleep.KERNEL32(00000000), ref: 009BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 009BE9B7
Sleep.KERNEL32 ref: 009BE9F3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f127f6114421daefa7af05156c2e68c265b6f94208434e12e8323ea89ed91861
Instruction ID: 01e4077231e59c94ddf9cceeb162ff816a5dc6d12632b37ec3275d1992b46382
Opcode Fuzzy Hash: f127f6114421daefa7af05156c2e68c265b6f94208434e12e8323ea89ed91861
Instruction Fuzzy Hash: CD015B71C0592DDBCF009FE5D999ADDBB7CBB09321F000546E542B2241CB3499599BA1

Function 009B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009B0B9B,?,?,?), ref: 009B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B114D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 256aaaedfbeb82a049dbdaac0c17f86f5bf8bec61aacee08478ad995cf09faac
Instruction ID: c6bcadc0d6a03f8e48e5eb6b805fe0634ecd86504e63affff97d13e527f20330
Opcode Fuzzy Hash: 256aaaedfbeb82a049dbdaac0c17f86f5bf8bec61aacee08478ad995cf09faac
Instruction Fuzzy Hash: EB0131B5114205BFDB114F69DC99EAA3F6EEF86360B504419FA85D7350DB31DC019A60

Function 009B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B1002

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f05ad00e40066b9842b9eca7ee6a08eadd05ca096655dfba9a6abbee256db956
Instruction ID: 0804f5e99a2ab756aa19820a50659d30f95bb54c1c4248e3ab4a86af08ec0254
Opcode Fuzzy Hash: f05ad00e40066b9842b9eca7ee6a08eadd05ca096655dfba9a6abbee256db956
Instruction Fuzzy Hash: D9F0CDB5204345EBDB211FA4DC8DF963BADEF8AB62F500414FE85CB261CA30DC419A60

Function 009B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1062

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ed6a8ed819899519e57ab96ac0ce4f3ff2880c102a2848ce0859044a5d521234
Instruction ID: 4f6c17e37a9c33467c3adf94fb7e7cf27f3922e5afba0b8d4561c244c3f7f7b4
Opcode Fuzzy Hash: ed6a8ed819899519e57ab96ac0ce4f3ff2880c102a2848ce0859044a5d521234
Instruction Fuzzy Hash: 1CF06DB5214341EBDB216FA4ED99F963BADEF8A761F500414FE85CB250CA70DC419A60

Function 009C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0324
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0331
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C033E
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C034B
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0358
CloseHandle.KERNEL32(?,?,?,?,009C017D,?,009C32FC,?,00000001,00992592,?), ref: 009C0365

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8e484e3f16f848a6a721b34c936da22d0934e026b79e2aa63e398d9940b42c48
Instruction ID: 790dc4bf0bd8005f8a3573ea2665a2b0f2c13ea121e77323412af889c195302a
Opcode Fuzzy Hash: 8e484e3f16f848a6a721b34c936da22d0934e026b79e2aa63e398d9940b42c48
Instruction Fuzzy Hash: A201AA72800B95DFCB30AF66D880912FBF9BFA03153158A3FD19652931C3B1A999DF81

Function 0098D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0098D752

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 0098D764
_free.LIBCMT ref: 0098D776
_free.LIBCMT ref: 0098D788
_free.LIBCMT ref: 0098D79A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ad613903ad94527b8d93ae7ed26ed30960038637a417c4a4faa7caa24a95c78f
Instruction ID: 5e50de6e85756dda308bd60040127384b96b03c9dfc96df96a32a158cac9fcb7
Opcode Fuzzy Hash: ad613903ad94527b8d93ae7ed26ed30960038637a417c4a4faa7caa24a95c78f
Instruction Fuzzy Hash: 01F05B72545204ABC621FBA8FAC5D5677EDBB447207954C05F049D7741C735FC818774

Function 009B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 009B5C6F
MessageBeep.USER32(00000000), ref: 009B5C87
KillTimer.USER32(?,0000040A), ref: 009B5CA3
EndDialog.USER32(?,00000001), ref: 009B5CBD

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6cb15b7895f277e8bb56863cb8791cf20cd06ba3648ec0e637533062f841a4b2
Instruction ID: 9e6128bd5f2a882a1d23eab9fd3e017cec58345bb87d3d6256b1e768e8eba107
Opcode Fuzzy Hash: 6cb15b7895f277e8bb56863cb8791cf20cd06ba3648ec0e637533062f841a4b2
Instruction Fuzzy Hash: 67018170514B44ABEB205B10DE8EFE67BB9BB04B05F010559A5C3A50E1DBF4AD899B90

Function 009822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009822BE

Part of subcall function 009829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000), ref: 009829DE
Part of subcall function 009829C8: GetLastError.KERNEL32(00000000,?,0098D7D1,00000000,00000000,00000000,00000000,?,0098D7F8,00000000,00000007,00000000,?,0098DBF5,00000000,00000000), ref: 009829F0

_free.LIBCMT ref: 009822D0
_free.LIBCMT ref: 009822E3
_free.LIBCMT ref: 009822F4
_free.LIBCMT ref: 00982305

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eac4bc985685cf8b2251fa8d4c00cf46028345aa6f9912c2b9d87ff2c87a8379
Instruction ID: 1a908c25e4506e57d58de6312acd57c138d4a388494c624caf83b8416a77e5cc
Opcode Fuzzy Hash: eac4bc985685cf8b2251fa8d4c00cf46028345aa6f9912c2b9d87ff2c87a8379
Instruction Fuzzy Hash: 89F05E708801208BC632FFDCBE41DA83B68F728760702056AF410D23B2C7361853AFE4

Function 009695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009695D4
StrokeAndFillPath.GDI32(?,?,009A71F7,00000000,?,?,?), ref: 009695F0
SelectObject.GDI32(?,00000000), ref: 00969603
DeleteObject.GDI32 ref: 00969616
StrokePath.GDI32(?), ref: 00969631

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1802959ae11ca2508268c9de0d17e699ae29b6da55bc025872ed64367742fecc
Instruction ID: b4c0741466405faec528d4f6d8ff42a0b1e8041bbc250e1400ae258e9dea3e43
Opcode Fuzzy Hash: 1802959ae11ca2508268c9de0d17e699ae29b6da55bc025872ed64367742fecc
Instruction Fuzzy Hash: B0F0C971019388EBDB269FA9ED58B743B69AB12322F448224F865590F0C7348997EF20

Function 00980F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009810F9
__freea.LIBCMT ref: 00981117

Part of subcall function 00981537: _free.LIBCMT ref: 0098154F

Strings

a/p, xrefs: 009811DE
am/pm, xrefs: 0098117A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: b0e66bc0b99b966db787791e679ed5613ce7a83e278d61bf8064c1f1c473fc12
Instruction ID: 0d7f6a33c136344d748fd6fe6a30e05012c165086366e24322abd075e22e52b0
Opcode Fuzzy Hash: b0e66bc0b99b966db787791e679ed5613ce7a83e278d61bf8064c1f1c473fc12
Instruction Fuzzy Hash: 36D1F331904206CBCB28BF68C849BFEB7BCEF46700F24455AE9169B751D3799D82CB91

Function 009D7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00970242: EnterCriticalSection.KERNEL32(00A2070C,00A21884,?,?,0096198B,00A22518,?,?,?,009512F9,00000000), ref: 0097024D
Part of subcall function 00970242: LeaveCriticalSection.KERNEL32(00A2070C,?,0096198B,00A22518,?,?,?,009512F9,00000000), ref: 0097028A

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009700A3: __onexit.LIBCMT ref: 009700A9

__Init_thread_footer.LIBCMT ref: 009D7BFB

Part of subcall function 009701F8: EnterCriticalSection.KERNEL32(00A2070C,?,?,00968747,00A22514), ref: 00970202
Part of subcall function 009701F8: LeaveCriticalSection.KERNEL32(00A2070C,?,00968747,00A22514), ref: 00970235

Strings

5, xrefs: 009D7C78
Variable must be of type 'Object'., xrefs: 009D7C3A
G, xrefs: 009D7C7F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: dfdea7e611c1740a7942eedd12139fd7cfba31f008e88792b41a899fd9ee029a
Instruction ID: 95131477226f81b88daa80e4da4e8a92f51dccf096df7b96e73c3b576be220a6
Opcode Fuzzy Hash: dfdea7e611c1740a7942eedd12139fd7cfba31f008e88792b41a899fd9ee029a
Instruction Fuzzy Hash: C2918C70A44209EFCB14EF94D891AADB7B6BF85300F10C45AF8466B392EB31AE45CB51

Function 009B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009B21D0,?,?,00000034,00000800,?,00000034), ref: 009BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009B2760

Part of subcall function 009BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 009BB3F8

Part of subcall function 009BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 009BB355
Part of subcall function 009BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009B2194,00000034,?,?,00001004,00000000,00000000), ref: 009BB365
Part of subcall function 009BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009B2194,00000034,?,?,00001004,00000000,00000000), ref: 009BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009B281A

Strings

@, xrefs: 009B2832

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 0fef3130b7f6cf2b528625d1e6d0e5ecd0534a497dcbefe919e5de7f315fd19b
Instruction ID: 6d79b91d70858c84c21051acf32d8ba31859e73423fd4f3641f38e1d1d716eda
Opcode Fuzzy Hash: 0fef3130b7f6cf2b528625d1e6d0e5ecd0534a497dcbefe919e5de7f315fd19b
Instruction Fuzzy Hash: F4414B72900218AFDB10DFA4CD85BEEBBB8EF49710F104099FA55B7191DB706E45CBA0

Function 0098172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00981769
_free.LIBCMT ref: 00981834
_free.LIBCMT ref: 0098183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00981760, 00981767, 00981796, 009817CE

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 8efb17bea0fe52246f89eedbafb27657ad412dabe484eea9f5c01bb9795e6418
Instruction ID: 2efeb0fc147fd98cb8c0847ce5de7489eec804ed90176c6d6050db7a4b4e1e90
Opcode Fuzzy Hash: 8efb17bea0fe52246f89eedbafb27657ad412dabe484eea9f5c01bb9795e6418
Instruction Fuzzy Hash: 11315E75A04218EBDB21EB999885EAEBBFCEB95710B1441BAF804D7311D6709E42CB90

Function 009BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 009BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A21990,00F45720), ref: 009BC395

Strings

0, xrefs: 009BC2DF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 85c84cd92944fe683bca21b38d3db65ab25f0773d63ed11de172671b53bf7124
Instruction ID: 68e74bb7b69a1ae3d48d996ff36581bfe17a03cdbfdecfc278985e7b655e2184
Opcode Fuzzy Hash: 85c84cd92944fe683bca21b38d3db65ab25f0773d63ed11de172671b53bf7124
Instruction Fuzzy Hash: DB41B0B12083419FD720DF25D984F9ABBE8AFC5321F048A1EF9A5972D1D770E904CB62

Function 009E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009ECC08,00000000,?,?,?,?), ref: 009E44AA
GetWindowLongW.USER32 ref: 009E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E44D7

Strings

SysTreeView32, xrefs: 009E447C

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 310d2d5c9cf151a36f4168f6432872ef3c0af92d816a2ce1e47ef9ac7a64797a
Instruction ID: 8b27dce08c2dde75113ff6d9a8e4926a4bbae2852031a435003ca1d0bedc2b35
Opcode Fuzzy Hash: 310d2d5c9cf151a36f4168f6432872ef3c0af92d816a2ce1e47ef9ac7a64797a
Instruction Fuzzy Hash: A831CB71210285AFDB228F39DC85BEB7BA9EB48334F204724F979921E0DB70EC519B50

Function 009D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,009D3077,?,?), ref: 009D3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009D307A
_wcslen.LIBCMT ref: 009D309B
htons.WSOCK32(00000000,?,?,00000000), ref: 009D3106

Strings

255.255.255.255, xrefs: 009D3095, 009D309A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 7fa85e68c536b62b376d35a9f94705cb41588eb6c0c2c51b7131c9e4e2dba6c1
Instruction ID: a40f9cf8823beb9699304a99167341b2f2d9c61abd0e2a90eab690ef88574a4b
Opcode Fuzzy Hash: 7fa85e68c536b62b376d35a9f94705cb41588eb6c0c2c51b7131c9e4e2dba6c1
Instruction Fuzzy Hash: 7231F339204202DFCB10CF68C586EAA77E4EF54319F24C05AE9158F392CB32EE45C762

Function 009E3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009E3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009E3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E3F78

Strings

SysMonthCal32, xrefs: 009E3F0B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6f64d2db0019424a12cfe20810a3b420f87e888c79dcd7806bde5523a9a57b1c
Instruction ID: 5fd0de8bc49d6e48b22a1e6ecb75e149ebaa8f3104717975498708250f2e9599
Opcode Fuzzy Hash: 6f64d2db0019424a12cfe20810a3b420f87e888c79dcd7806bde5523a9a57b1c
Instruction Fuzzy Hash: 9321BF32610259BBEF228F91CC86FEA3B79EF88724F114214FE156B1D0D6B1AD51DB90

Function 009E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009E471A

Strings

msctls_updown32, xrefs: 009E4684

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b0d49a3c0ed4ea895692cae10e8fe43d35d10d3967a1214243237dc5d83166b9
Instruction ID: 64e95c324e9f2a5961fb10df55630ab6ff75564a290d46b78d17127857700c39
Opcode Fuzzy Hash: b0d49a3c0ed4ea895692cae10e8fe43d35d10d3967a1214243237dc5d83166b9
Instruction Fuzzy Hash: 222160B5600249AFDB11DF69DCC1DB737ADEB9A7A4B040459FA009B351CB31EC52DBA0

Function 009B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B961D

Strings

#OnAutoItStartRegister, xrefs: 009B95F3
#notrayicon, xrefs: 009B95B7
#requireadmin, xrefs: 009B95D9

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 9b2859bead4b14c6240a1f44bf64033a3d459ceb45c2d39259a4874e7007b452
Instruction ID: 6f124b7b286b63a5095258108178e807f1c670cb67b33dc59b2d81ebda15765e
Opcode Fuzzy Hash: 9b2859bead4b14c6240a1f44bf64033a3d459ceb45c2d39259a4874e7007b452
Instruction Fuzzy Hash: 64213832164210A6C331AA259E16FFBB39C9FD1320F148426FE499B041EB959E45C395

Function 009E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009E3876

Strings

Listbox, xrefs: 009E380F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8ab8a0b19e17be87fe47bd836e157dc61d97deee1748a465768d2da7eec51e93
Instruction ID: 4d0668d20d5932726495416fe93e57b5e6906029a7635813ff15c6f78267eba6
Opcode Fuzzy Hash: 8ab8a0b19e17be87fe47bd836e157dc61d97deee1748a465768d2da7eec51e93
Instruction Fuzzy Hash: 48219272610158BBEF228F66CC85FBB376EEF89754F108124F9449B190C672DC52C7A0

Function 009C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009C4A5C
SetErrorMode.KERNEL32(00000000,?,?,009ECC08), ref: 009C4AD0

Strings

%lu, xrefs: 009C4A6F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 645a747a6c3b3d17c6c0e157284f2c43091f45e4ee407143a36494956ff3443b
Instruction ID: 3bcf730dbbd1fc1bac279501125d31c21d1bb23a8b31cfe6d813c83f315f9072
Opcode Fuzzy Hash: 645a747a6c3b3d17c6c0e157284f2c43091f45e4ee407143a36494956ff3443b
Instruction Fuzzy Hash: C4314C71A00109AFDB10DF64C885EAA7BF8EF49308F1480A9F949DB252D771EE46CB61

Function 009E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009E4271

Strings

msctls_trackbar32, xrefs: 009E4226

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 47d724fbfbfe90752fd5f34a991218bdf09086cec358de59c60fe1e0585a859a
Instruction ID: 5b786809c3fef6584de9428f829578d88314d8e83740b12ffe1df743173d8031
Opcode Fuzzy Hash: 47d724fbfbfe90752fd5f34a991218bdf09086cec358de59c60fe1e0585a859a
Instruction Fuzzy Hash: E5110631240288BEEF219F7ACC46FAB3BACEF99B64F010524FA55E61D0D271DC619B10

Function 009B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00956B57: _wcslen.LIBCMT ref: 00956B6A

Part of subcall function 009B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009B2DC5
Part of subcall function 009B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B2DD6
Part of subcall function 009B2DA7: GetCurrentThreadId.KERNEL32 ref: 009B2DDD
Part of subcall function 009B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009B2DE4

GetFocus.USER32 ref: 009B2F78

Part of subcall function 009B2DEE: GetParent.USER32(00000000), ref: 009B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 009B2FC3
EnumChildWindows.USER32(?,009B303B), ref: 009B2FEB

Strings

%s%d, xrefs: 009B2FFF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a15c8e4ad9d4f4a3210b266bd6a215743c51f3b89c681a01f4642f899649474a
Instruction ID: 62e30b2ea19f6bbd9007937c124eea5c05f6dad134c16db6cc1898c394317489
Opcode Fuzzy Hash: a15c8e4ad9d4f4a3210b266bd6a215743c51f3b89c681a01f4642f899649474a
Instruction Fuzzy Hash: 1511A2B1600209ABCF14BF719DC5FEE376AAFD4314F048075BD09AB192DE74994A9B60

Function 009E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009E58EE
DrawMenuBar.USER32(?), ref: 009E58FD

Strings

0, xrefs: 009E588F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 15a012aeada0cf80f1360396bc7f12f9a43dece0df71d8695f9ff4558626f0b6
Instruction ID: 996673d718f860dfa2bccf2334d64c7e575d2f87416539d6281abd380dbb71f8
Opcode Fuzzy Hash: 15a012aeada0cf80f1360396bc7f12f9a43dece0df71d8695f9ff4558626f0b6
Instruction Fuzzy Hash: 83016171514258EFDB129F12DC44BEEBBB8FB45364F108099F949DA151DB308E94EF21

Function 009AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 009AD3BF
FreeLibrary.KERNEL32 ref: 009AD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 009AD3B9
X64, xrefs: 009AD2A8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: ec7e211588638056159d2dc28c523fcec46404fc7047f0e48a8796f7f6a1b063
Instruction ID: 78ce0dd4ddd88b542089959c104bf101e5582fdf2372280170cb0b8b8a605477
Opcode Fuzzy Hash: ec7e211588638056159d2dc28c523fcec46404fc7047f0e48a8796f7f6a1b063
Instruction Fuzzy Hash: F8F0ABB180B721DBDB7242204C68BAD3328BF12B01B548928FC63F6804EF64CC45C2D2

Function 009B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc551adb686aca235789acdb6fbe673d59042f4d06c31401987958dcf3f3ea41
Instruction ID: af5ef26ab741dc70dd6fad570c0c98ad19a3f89323186498bdd54c89955a25cc
Opcode Fuzzy Hash: bc551adb686aca235789acdb6fbe673d59042f4d06c31401987958dcf3f3ea41
Instruction Fuzzy Hash: CCC14C75A0020AEFDB14CFA8C998BAEB7B9FF88714F108598E515EB251D731ED41CB90

Function 00983E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00983F0B
__alldvrm.LIBCMT ref: 0098410C
__alldvrm.LIBCMT ref: 0098412E

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 679c6478969cbf53308d15ba6d1765af1bd58e6edd0ca6a060f6e46b0d2d54ed
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 89A16B72E043879FEB15EF18C8917AEBBE9EF61350F14416DE5859B382C6388D41C790

Function 009D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009D3459
CoUninitialize.OLE32 ref: 009D3463
VariantInit.OLEAUT32(?), ref: 009D346E
VariantClear.OLEAUT32(?), ref: 009D371B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 4f1e7d204c1073e46274004be03e18d4304d061107f20c6fafc8b8b80aa332ac
Instruction ID: 5656f8d5f5045ab6847fd0f4673e033ea277eeeb56f0105ee7e40ad125317859
Opcode Fuzzy Hash: 4f1e7d204c1073e46274004be03e18d4304d061107f20c6fafc8b8b80aa332ac
Instruction Fuzzy Hash: 4AA138756043009FC700DF69D585A2AB7E9FF88715F04C85AF98A9B362DB30EE05CB92

Function 009B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009EFC08,?), ref: 009B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009EFC08,?), ref: 009B0608
CLSIDFromProgID.OLE32(?,?,00000000,009ECC40,000000FF,?,00000000,00000800,00000000,?,009EFC08,?), ref: 009B062D
_memcmp.LIBVCRUNTIME ref: 009B064E

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 78ec15ba2b40c20296a528e6f7da5d1134e60e25010b84971594a2ae58920e80
Instruction ID: 6adb178842a48f3974155fa2a4a52942e66d96f1c9f90d0db12e52c8a87c3b4a
Opcode Fuzzy Hash: 78ec15ba2b40c20296a528e6f7da5d1134e60e25010b84971594a2ae58920e80
Instruction Fuzzy Hash: C081FA75A00209EFCB14DF98C984EEEB7B9FF89315F204558F516AB250DB71AE06CB60

Function 009DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 009DA6BA

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Process32NextW.KERNEL32(00000000,?), ref: 009DA79C
CloseHandle.KERNEL32(00000000), ref: 009DA7AB

Part of subcall function 0096CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00993303,?), ref: 0096CE8A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: c20e78cdb079bd5b4692d528d47476aae3bbc391ad09c41d57a7667953428a26
Instruction ID: 86181047e52b05461b1843d766b8d598b9d4af24e85bc6cfc3ec82cf3b963711
Opcode Fuzzy Hash: c20e78cdb079bd5b4692d528d47476aae3bbc391ad09c41d57a7667953428a26
Instruction Fuzzy Hash: 8B5150B15083009FD710EF25D886A6BBBE8FFC9754F40891DF98597262EB30D908CB92

Function 00991391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009914C0

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f6cf9aaf0edf384882611d8c543609350a998835f900443088be512304c3e015
Instruction ID: 24fdadc6c2e2b11671a337d6c6bf2d8607568531c3f4d49255c05178360ef364
Opcode Fuzzy Hash: f6cf9aaf0edf384882611d8c543609350a998835f900443088be512304c3e015
Instruction Fuzzy Hash: 5B412D36600112ABDF257BFD8C467BE3BA8FF89370F254625F429D72A2E63488415762

Function 009E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009E62E2
ScreenToClient.USER32(?,?), ref: 009E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 009E6382

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: a2bd18f7009debf11bd8822e429614760f7dee8a88321e6ded191a7e22889553
Instruction ID: 0edcd59c37f5b2add2c1b73d16392d71bd5ade2fbbb689dbec7b22b97d6b949a
Opcode Fuzzy Hash: a2bd18f7009debf11bd8822e429614760f7dee8a88321e6ded191a7e22889553
Instruction Fuzzy Hash: A1512F74900245EFDF11DF59D880AAE7BB6FF553A0F108169F9559B290D730ED81CB50

Function 009D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009D1AFD
WSAGetLastError.WSOCK32 ref: 009D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009D1B8A
WSAGetLastError.WSOCK32 ref: 009D1B94

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 73a8661bc412a0ea3fcfe9e815f5c683affd5d7cbef89d0c493088e46286fe91
Instruction ID: d352efad11f6b703189c3d5d985310a6ac4c2be801a8d0a4fac34035d3840253
Opcode Fuzzy Hash: 73a8661bc412a0ea3fcfe9e815f5c683affd5d7cbef89d0c493088e46286fe91
Instruction Fuzzy Hash: 4841CF75640200AFE720EF24C886F2A77E5AB84718F54C449F95A9F3D2E776ED42CB90

Function 0098B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e16678be49367514da3407087947429be35fffbe8577f3efd090b9ef06303f1
Instruction ID: 07fb62ebc7391f60254556229ab5e00cf0b7b38aaa35c5f696af1cf93e0dce71
Opcode Fuzzy Hash: 9e16678be49367514da3407087947429be35fffbe8577f3efd090b9ef06303f1
Instruction Fuzzy Hash: EB412976A00304BFD724AF78CC42B6ABBE9EBC4710F14852AF556DB7A2D371A9018790

Function 009C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009C5783
GetLastError.KERNEL32(?,00000000), ref: 009C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009C57FA

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e3c3bbb2bb074baef249cbf2488afc1ba9e16e7f13e1a9eff30cbbe68508fe30
Instruction ID: e5496e5d68948a6af2c95dade075e08e793c616a31b28babf020d9982acd15b7
Opcode Fuzzy Hash: e3c3bbb2bb074baef249cbf2488afc1ba9e16e7f13e1a9eff30cbbe68508fe30
Instruction Fuzzy Hash: 18412B39600610DFCB11DF55C584B5EBBE6AF89321B198488FC4AAB362DB34FD45CB91

Function 0098D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00976D71,00000000,00000000,009782D9,?,009782D9,?,00000001,00976D71,8BE85006,00000001,009782D9,009782D9), ref: 0098D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0098D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0098D9AB
__freea.LIBCMT ref: 0098D9B4

Part of subcall function 00983820: RtlAllocateHeap.NTDLL(00000000,?,00A21444,?,0096FDF5,?,?,0095A976,00000010,00A21440,009513FC,?,009513C6,?,00951129), ref: 00983852

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: aa7ef2de713fdb24d76bbd12bf21112b61bde5fd322002b6ec9cdfb43721d776
Instruction ID: 500c1ff10616861bfc904e4ba0b8340ddbb4c7833f8c364fc82ef3b59d704aa5
Opcode Fuzzy Hash: aa7ef2de713fdb24d76bbd12bf21112b61bde5fd322002b6ec9cdfb43721d776
Instruction Fuzzy Hash: EA31C372A0221AABDF25EF65DC45EAE7BA9EB40710F054168FC09D7290E736CD51CB90

Function 009E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 009E5352
GetWindowLongW.USER32(?,000000F0), ref: 009E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009E53A8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: cff36b7e4c482a9c9a99a9eb2d52b051fa4e725fefc0a6f02178dedef662352b
Instruction ID: 68fa779114657850a6ee58411913c16aa4626e8f8a24e9a996fbefed1d77ab13
Opcode Fuzzy Hash: cff36b7e4c482a9c9a99a9eb2d52b051fa4e725fefc0a6f02178dedef662352b
Instruction Fuzzy Hash: F8315834A55A88FFEF329F56CC45FE8376AAB043D4F592001FA00861E1C3B49D80EB41

Function 009BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 009BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 009BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 009BAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 009BACC6

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a125e619bb28092effc6440b0224e0533f5fa3db030132256594758cef8a6599
Instruction ID: 175e382377ba6554378b3f627629b85e582aeb91821ec69b160e910496dbe088
Opcode Fuzzy Hash: a125e619bb28092effc6440b0224e0533f5fa3db030132256594758cef8a6599
Instruction Fuzzy Hash: CD314630A14318AFEF35CB658D097FE7FA9AB89330F04461AE4C0961D1C3788D8197A2

Function 009E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009E769A
GetWindowRect.USER32(?,?), ref: 009E7710
PtInRect.USER32(?,?,009E8B89), ref: 009E7720
MessageBeep.USER32(00000000), ref: 009E778C

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2b034ebcc283df1b13cfcdf38d1ef74e6c62b5631b3d919774480c62652ddf21
Instruction ID: ab0640240fb78337784817bc96dd1fa4561006c3301235045c295b9e91503c2c
Opcode Fuzzy Hash: 2b034ebcc283df1b13cfcdf38d1ef74e6c62b5631b3d919774480c62652ddf21
Instruction Fuzzy Hash: A141AD34609295EFDB12CFDAC894EA9B7F4FB49704F1540A8E8549B261C732ED82CF91

Function 009E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009E16EB

Part of subcall function 009B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009B3A57
Part of subcall function 009B3A3D: GetCurrentThreadId.KERNEL32 ref: 009B3A5E
Part of subcall function 009B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009B25B3), ref: 009B3A65

GetCaretPos.USER32(?), ref: 009E16FF
ClientToScreen.USER32(00000000,?), ref: 009E174C
GetForegroundWindow.USER32 ref: 009E1752

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 308ec9ac547a5cb99d932f32ff297e8ad7367fa76ccc6e4ab6e2f12be3bc8c40
Instruction ID: 0adf03e11cc49219f9f12e898685bf4f8f9e81c059e5b9605f7909e12df7d980
Opcode Fuzzy Hash: 308ec9ac547a5cb99d932f32ff297e8ad7367fa76ccc6e4ab6e2f12be3bc8c40
Instruction Fuzzy Hash: BB3121B5D00249AFC704EFAAC881DEEB7FDEF88304B548069E855E7251D7319E45CBA0

Function 009BDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

_wcslen.LIBCMT ref: 009BDFCB
_wcslen.LIBCMT ref: 009BDFE2
_wcslen.LIBCMT ref: 009BE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 009BE018

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: cfcfa477755a2e77dff08d57c206093e6d48ebcf8863cc583eb65e8e26fd3950
Instruction ID: 1c75389a9a871ac6fc56654af1feb781aef292e87c010b381c35bdc2882e6347
Opcode Fuzzy Hash: cfcfa477755a2e77dff08d57c206093e6d48ebcf8863cc583eb65e8e26fd3950
Instruction Fuzzy Hash: 34218372901214EFCB11EFA8D981BBEB7F8EF85760F144065E905BB246D7709E41CBA1

Function 009E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

GetCursorPos.USER32(?), ref: 009E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009A7711,?,?,?,?,?), ref: 009E9016
GetCursorPos.USER32(?), ref: 009E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009A7711,?,?,?), ref: 009E9094

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5c0adf1e4723ea2590b1b889e9373031e260d6eb07b6bb0c6b5c6f35679f09e7
Instruction ID: 1317cc3ad8a1e68ed36a4777c47974a7cee0bbfeca6c39669bfb55585ec7e2db
Opcode Fuzzy Hash: 5c0adf1e4723ea2590b1b889e9373031e260d6eb07b6bb0c6b5c6f35679f09e7
Instruction Fuzzy Hash: 6621F371201058FFCB268F99CC98EFA3BB9EF8A311F400065F5054B161C7319E91EB60

Function 009BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009ECB68), ref: 009BD2FB
GetLastError.KERNEL32 ref: 009BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 009BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009ECB68), ref: 009BD376

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 65c2090b3b35298021f964443adda5d60a0bd1774e93b5f9a19d5420b9ac7195
Instruction ID: 3065948d63a1f968c8e001ca6c418c46f91c3f24da3024959b01ea7e24c914ed
Opcode Fuzzy Hash: 65c2090b3b35298021f964443adda5d60a0bd1774e93b5f9a19d5420b9ac7195
Instruction Fuzzy Hash: 1421A670509301DF8300DF25C9855AA77E8EF9A368F104A1DF8A5C72A2E731DD4ACB93

Function 009B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B102A
Part of subcall function 009B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B1036
Part of subcall function 009B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1045
Part of subcall function 009B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B104C
Part of subcall function 009B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009B15BE
_memcmp.LIBVCRUNTIME ref: 009B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B1617
HeapFree.KERNEL32(00000000), ref: 009B161E

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bf7896f9f5a33a5f12473878177be307e8a4fd673d2f2b33967f2676fbb2fdc8
Instruction ID: 7875d03e8d86aa21aa1c49ee1c8b3ea723e42010619c6ee6b4d0f0b4ab70b134
Opcode Fuzzy Hash: bf7896f9f5a33a5f12473878177be307e8a4fd673d2f2b33967f2676fbb2fdc8
Instruction Fuzzy Hash: 0F21AF72E00109EFDF14DFA4CA55BEEB7B8EF84364F484459E441AB241E770AE05DBA0

Function 009E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 009E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009E2840

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c79b15934167b9c951e6d9976d5d5e1d1286c1174b6b5bc01195534dc8087635
Instruction ID: 20ef5f118a336831730a26dc813cecbf9154f8fba5bb7652f38fe1a9159ccd61
Opcode Fuzzy Hash: c79b15934167b9c951e6d9976d5d5e1d1286c1174b6b5bc01195534dc8087635
Instruction Fuzzy Hash: 4321B631208691AFD715DB25CC45F6A779DAF85324F148158F8168F6D2CB75FC42C790

Function 009B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,009B790A,?,000000FF,?,009B8754,00000000,?,0000001C,?,?), ref: 009B8D8C
Part of subcall function 009B8D7D: lstrcpyW.KERNEL32(00000000,?,?,009B790A,?,000000FF,?,009B8754,00000000,?,0000001C,?,?,00000000), ref: 009B8DB2
Part of subcall function 009B8D7D: lstrcmpiW.KERNEL32(00000000,?,009B790A,?,000000FF,?,009B8754,00000000,?,0000001C,?,?), ref: 009B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,009B8754,00000000,?,0000001C,?,?,00000000), ref: 009B7923
lstrcpyW.KERNEL32(00000000,?,?,009B8754,00000000,?,0000001C,?,?,00000000), ref: 009B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,009B8754,00000000,?,0000001C,?,?,00000000), ref: 009B7984

Strings

cdecl, xrefs: 009B797B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 7d9779d7a98cd376685263f92073c43508366c3882522f25b5d96217674644cf
Instruction ID: b4e748109d33401fc769985e7d477a89441f9315cff2113a4ba5bed0037ec5fc
Opcode Fuzzy Hash: 7d9779d7a98cd376685263f92073c43508366c3882522f25b5d96217674644cf
Instruction Fuzzy Hash: 4711063A204241AFCB159F74D844EBBB7A9FFC93A0B00412AF842CB2A4EB319811D751

Function 009E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 009E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 009E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009CB7AD,00000000), ref: 009E7D6B

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 462512d622bf74445e9492a17abed65ccc25bc456bdc9fccc2fda90c6080a206
Instruction ID: eb6a326284119240334d7b88a5720266ec84828c0b6ef093955cb76102f65faf
Opcode Fuzzy Hash: 462512d622bf74445e9492a17abed65ccc25bc456bdc9fccc2fda90c6080a206
Instruction Fuzzy Hash: 4211E431118695AFCB118FA9CC44A767BA9FF45360B154724F835CB2F0D7308D92DB50

Function 009E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009E56BB
_wcslen.LIBCMT ref: 009E56CD
_wcslen.LIBCMT ref: 009E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 009E5816

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b7df3c270d1e67ba6200d13793b33911bb7fb0cab76deff3a86cd6679461116e
Instruction ID: 859f08266e0b36a5b16e3f681590cb47a81bd32e3beada8b8b518f11799e45c1
Opcode Fuzzy Hash: b7df3c270d1e67ba6200d13793b33911bb7fb0cab76deff3a86cd6679461116e
Instruction Fuzzy Hash: 7D11E47160068996DF219F678C81AEE776CEF10B68F504426F905D6082E7748D80CB60

Function 00981D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324b500ed2b5891dc92ad74ed60dc0e7e8c959d9127a6aef527945e3d44d5f84
Instruction ID: 3b8eca33397a358b8b677ff3c8c2cf42143ac9dac5b405a56d88dc47ec9ca0d7
Opcode Fuzzy Hash: 324b500ed2b5891dc92ad74ed60dc0e7e8c959d9127a6aef527945e3d44d5f84
Instruction Fuzzy Hash: D601ADB220A6167FF6213AB86CC0F67671CDF813B8B310B25F522A13D2DB658C025360

Function 009B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B1A8A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b6713eeb6464d70557613978a444e534d49baeb0d1d49d09006d44ea3592767f
Instruction ID: fef3abc0589885f16f2a78da6ce62a1bb46af01f93be3bd69665fe5461a454b9
Opcode Fuzzy Hash: b6713eeb6464d70557613978a444e534d49baeb0d1d49d09006d44ea3592767f
Instruction Fuzzy Hash: 0411273A901219FFEF109BA4C985FEDBB78EB08760F200091EA00B7290D6716E50DB94

Function 009BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 009BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009BE24D

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 99fa637d3e6a75c7e29f69ed11dfdbf6f8883297c90b339bd5f85921118bc2a2
Instruction ID: 7e5829397670177df2a448c0a0ee0352cef103bec2977a113cb51a6e3516efdb
Opcode Fuzzy Hash: 99fa637d3e6a75c7e29f69ed11dfdbf6f8883297c90b339bd5f85921118bc2a2
Instruction Fuzzy Hash: 1A116BB2D08244BFC710DFEC9D45AEE3FAD9B41320F004225F824E7280D270CD0287A0

Function 0097D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0097CFF9,00000000,00000004,00000000), ref: 0097D218
GetLastError.KERNEL32 ref: 0097D224
__dosmaperr.LIBCMT ref: 0097D22B
ResumeThread.KERNEL32(00000000), ref: 0097D249

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b58ce85d7ddbdd98582ab0d09ad46b9b15b6d6f7e7fb233e038ec5770c922d3e
Instruction ID: 9bbf43acd3d4a86107b64c9a481f5509f82ef0305fbde0d892eec4e5e0d71058
Opcode Fuzzy Hash: b58ce85d7ddbdd98582ab0d09ad46b9b15b6d6f7e7fb233e038ec5770c922d3e
Instruction Fuzzy Hash: 7601D27790A204BBCB116BA5DC09BAA7A7DEFC1731F208219F939961D1CB71CD02D7A0

Function 009E9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00969BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00969BB2

GetClientRect.USER32(?,?), ref: 009E9F31
GetCursorPos.USER32(?), ref: 009E9F3B
ScreenToClient.USER32(?,?), ref: 009E9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 009E9F7A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1657ebe0026830847909ed56abccdf881279dc0bc9a81f315836a30b880eb219
Instruction ID: 9b48aad8761842b471fbfd5715063aae95dbcd873b8c11f21025ef8290f30ac4
Opcode Fuzzy Hash: 1657ebe0026830847909ed56abccdf881279dc0bc9a81f315836a30b880eb219
Instruction Fuzzy Hash: 2911367290029AABDB11DFAAD8859EE77B9FB45311F000851F911E7141D730BE82DBA1

Function 0095600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0095604C
GetStockObject.GDI32(00000011), ref: 00956060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0095606A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 99e60edbbbf0e5401011627a41601dbcbf599b5e53fdf3df431482e52d3b534c
Instruction ID: 729aedddb413b54829ed949734d4af35b291e59fca8093b782cb665b4a16fa46
Opcode Fuzzy Hash: 99e60edbbbf0e5401011627a41601dbcbf599b5e53fdf3df431482e52d3b534c
Instruction Fuzzy Hash: 3811A1B2101548BFEF128FA6CC44EEA7B6DEF08365F400211FE0456050C7329C61EB90

Function 00973B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00973B56

Part of subcall function 00973AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00973AD2
Part of subcall function 00973AA3: ___AdjustPointer.LIBCMT ref: 00973AED

_UnwindNestedFrames.LIBCMT ref: 00973B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00973B7C
CallCatchBlock.LIBVCRUNTIME ref: 00973BA4

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 628491044ba610e2109a32c5668b4cab715f85cb34c36e5311158e2ee721218a
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: B601D733100149BBDF125E95CC46EEB7B6DEF98754F04C018FE5C66122D732E961ABA1

Function 00983073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009513C6,00000000,00000000,?,0098301A,009513C6,00000000,00000000,00000000,?,0098328B,00000006,FlsSetValue), ref: 009830A5
GetLastError.KERNEL32(?,0098301A,009513C6,00000000,00000000,00000000,?,0098328B,00000006,FlsSetValue,009F2290,FlsSetValue,00000000,00000364,?,00982E46), ref: 009830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0098301A,009513C6,00000000,00000000,00000000,?,0098328B,00000006,FlsSetValue,009F2290,FlsSetValue,00000000), ref: 009830BF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 2b77088dad0442aeaaa8a5553778bb2c69af27be63378fb8b405800eac5988f7
Instruction ID: beed1331ad1451e0c9708c8820fb9d9e36e157a20195bee243b4f74449cb5d85
Opcode Fuzzy Hash: 2b77088dad0442aeaaa8a5553778bb2c69af27be63378fb8b405800eac5988f7
Instruction Fuzzy Hash: D001D472325222ABCB315EB99C849677B9CAF05F61B108620F955E7340C721DD02D7E0

Function 009B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 009B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009B74CA

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 1b46bd3e7cc335ca6f2681cc09afe734e9509c68e805c34862dfb8421607517d
Instruction ID: 5f5f31bf64f8835baccddbf2ffa86a56383d8b9dcafa09ccabb0a3d38bea5422
Opcode Fuzzy Hash: 1b46bd3e7cc335ca6f2681cc09afe734e9509c68e805c34862dfb8421607517d
Instruction Fuzzy Hash: D411C4B12093149FE7208F94DE48FD2BFFEEB40B11F108A69A656DA1A1E774E904DB50

Function 009BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009BACD3,?,00008000), ref: 009BB126

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c463cb951f6932d12ea673face7fa61f208aaaf6a0808f9f0814c491d20a95c6
Instruction ID: 72310e46f65b998c7bbbe42c78c70eea434033d2e89218204138c38aabc0ebf6
Opcode Fuzzy Hash: c463cb951f6932d12ea673face7fa61f208aaaf6a0808f9f0814c491d20a95c6
Instruction Fuzzy Hash: 5D11A171C0851CEBCF00AFE8DA986FEBB78FF0A320F004085D981B2185CBB449518B51

Function 009E7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009E7E33
ScreenToClient.USER32(?,?), ref: 009E7E4B
ScreenToClient.USER32(?,?), ref: 009E7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 009E7E8A

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 9b0c1da91ff89c95c1bd7cd0c7b93a3c2bc4205d02e5cde76fd4406a66279003
Instruction ID: 517370d686609eac5374836cd0a61525770eb7fa6aff344e3360cd156b57d2bb
Opcode Fuzzy Hash: 9b0c1da91ff89c95c1bd7cd0c7b93a3c2bc4205d02e5cde76fd4406a66279003
Instruction Fuzzy Hash: A31183B9D0424AAFDB41CF98D884AEEBBF9FF08310F108066E951E3210D735AA55DF90

Function 009B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 009B2DD6
GetCurrentThreadId.KERNEL32 ref: 009B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009B2DE4

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c1b043ba50cf3699f6bc6b63058fd008e1a704be706f1cdb44322fba246ccf37
Instruction ID: a32288f3f73f8be49c9d164bf7ed2b1ed35d152371610bbdb2b6edc29e31917b
Opcode Fuzzy Hash: c1b043ba50cf3699f6bc6b63058fd008e1a704be706f1cdb44322fba246ccf37
Instruction Fuzzy Hash: 37E092B2119224BBDB201B729C4DFEB3E6CEF82FB1F000019F105D90809AA4CC42D6B0

Function 009E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00969639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00969693
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696A2
Part of subcall function 00969639: BeginPath.GDI32(?), ref: 009696B9
Part of subcall function 00969639: SelectObject.GDI32(?,00000000), ref: 009696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 009E8887
LineTo.GDI32(?,?,?), ref: 009E8894
EndPath.GDI32(?), ref: 009E88A4
StrokePath.GDI32(?), ref: 009E88B2

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9a37f1797846867a79a53f2e0720495df0963e74b16527a67cc7111bece9b993
Instruction ID: c8b1a22bb67a95863fe23860e5d426bbcc0c2393417865f1edcfd7313b45dc83
Opcode Fuzzy Hash: 9a37f1797846867a79a53f2e0720495df0963e74b16527a67cc7111bece9b993
Instruction Fuzzy Hash: 4CF03A36049298BADF125F94AC09FDA3A59AF16311F448000FE61690E1C7755952DBA5

Function 009698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009698CC
SetTextColor.GDI32(?,?), ref: 009698D6
SetBkMode.GDI32(?,00000001), ref: 009698E9
GetStockObject.GDI32(00000005), ref: 009698F1

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 79fd30c163d0d0db158808593625751d58bc8a129c90e9a0494e6a6f5e7c235f
Instruction ID: cb09dfde34c2166224d19f8c2e7e3c54e9dbbc423fc614752b70127dc86ce403
Opcode Fuzzy Hash: 79fd30c163d0d0db158808593625751d58bc8a129c90e9a0494e6a6f5e7c235f
Instruction Fuzzy Hash: 1AE06D7125C680AADB215B78EC49BE87F65EB16376F048219F6FA580E1C7714A41AB10

Function 009B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 009B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009B11D9), ref: 009B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009B11D9), ref: 009B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009B11D9), ref: 009B164F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0e66ebd6adc5f1afdc73d30036a2f39d23390a604b0906018358e16400996383
Instruction ID: 888fc0a431934746e7c2cd27899411c1a7684f191595ec9ed793b969a6f84ede
Opcode Fuzzy Hash: 0e66ebd6adc5f1afdc73d30036a2f39d23390a604b0906018358e16400996383
Instruction Fuzzy Hash: 47E08CB2616211EBDB201FA4AE4DB8A3B7CAF447A2F148808F685DD080E7348842DB60

Function 009AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009AD858
GetDC.USER32(00000000), ref: 009AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009AD882
ReleaseDC.USER32(?), ref: 009AD8A3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: dec94fbccb04e71d99dd32e1fa1440f43f300be9fafbda4a8ecce92e09464c58
Instruction ID: ed1fefb60134a25c48cadb01a3fd17bb86862546543d2d7f82ee7157cf9f1c6c
Opcode Fuzzy Hash: dec94fbccb04e71d99dd32e1fa1440f43f300be9fafbda4a8ecce92e09464c58
Instruction Fuzzy Hash: 12E01AF4815205DFCF419FA4D84C66EBBB1FB48711F108409E896EB250C7389902AF40

Function 009AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009AD86C
GetDC.USER32(00000000), ref: 009AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009AD882
ReleaseDC.USER32(?), ref: 009AD8A3

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e60c0b2febff07dc6f22dec4bfb179783c0fcb277592e1135cbc862cd5e934a2
Instruction ID: 8e215421930741161f269299c5f172ec7fd0d9343ed2274da260a44e0bd42530
Opcode Fuzzy Hash: e60c0b2febff07dc6f22dec4bfb179783c0fcb277592e1135cbc862cd5e934a2
Instruction Fuzzy Hash: 74E01AB4C14205DFCF409FA4D84C66EBBB1BB48711B108408E896EB250C7385902AF40

Function 009C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00957620: _wcslen.LIBCMT ref: 00957625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 009C4ED4

Strings

LPT, xrefs: 009C4DFB
*, xrefs: 009C4E10

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 0d02da804ce38738add1e82bf419e0804980034289ff71949fb39b57c1830a99
Instruction ID: c5e9457bb2ac92d57ce637863435efe6777811501b6b2a0212466f1151f10112
Opcode Fuzzy Hash: 0d02da804ce38738add1e82bf419e0804980034289ff71949fb39b57c1830a99
Instruction Fuzzy Hash: DB913D75A002049FDB14DF58C494FAABBF5AF48304F19809DE84A9F362D735EE85CB91

Function 0097E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0097E30D

Strings

pow, xrefs: 0097E2E5, 0097E302

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 511e5da17abb6aa975ebae37b8fa448bec536e4ac031ca56c916982ba1bede1d
Instruction ID: a3aab641ff4c49d9db7a3806f1c54d7aa201b637a2cdb74570ae2fbb3602da7e
Opcode Fuzzy Hash: 511e5da17abb6aa975ebae37b8fa448bec536e4ac031ca56c916982ba1bede1d
Instruction Fuzzy Hash: 30512A62A1C20296CB157754C941379BBACAB54740F34CDE8E0DA833FAEB35CC95DB86

Function 0096E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0096E1B1

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: b5ef3e1323eb863ae8a1844a3bf6074321e162939c91b71634323498f9d2f6fe
Instruction ID: 2ff0abde3afc2b615845114ff751a05405c587f33d49f59f36879b1a68f0b613
Opcode Fuzzy Hash: b5ef3e1323eb863ae8a1844a3bf6074321e162939c91b71634323498f9d2f6fe
Instruction Fuzzy Hash: 86515579904246DFDB19DF28C491AFA7BA9EF56310F248059FCA19B2C0DB349D46CBA0

Function 0096F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0096F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0096F2BB

Strings

@, xrefs: 0096F2AF

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cb69eb1693816464186a79678c03873cf1737121f230b71c6001ce427fe586e2
Instruction ID: f56ffa19c20d7afa711a7329b24376494fe11304e2c3e9e9da83ed23fa23a2cb
Opcode Fuzzy Hash: cb69eb1693816464186a79678c03873cf1737121f230b71c6001ce427fe586e2
Instruction Fuzzy Hash: E65115714187489BD320EF51EC86BAFBBE8FBC4301F81885DF5D941195EB70852ACB66

Function 009D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009D57E0
_wcslen.LIBCMT ref: 009D57EC

Strings

CALLARGARRAY, xrefs: 009D57E6, 009D57EB

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 73397fd8359ad672ed544b1d5141686942108f2c7a4fa598675070eb7560316e
Instruction ID: fd5c88a0414099d9d847cc6d5ee6f8e297df7a60d2b182f8d0d2d774131c90a5
Opcode Fuzzy Hash: 73397fd8359ad672ed544b1d5141686942108f2c7a4fa598675070eb7560316e
Instruction Fuzzy Hash: C141A175A002059FCB14DFA9C8819BEBBF9FF99324F11806AE505A7361E7349D81DB90

Function 009CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009CD13A

Strings

|, xrefs: 009CD10B

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 12d487df83895102dd1e612601be7724313d6087453ffc2a3adcc457e16aca55
Instruction ID: b9f073067f9d38dbc7587f5fd60aaf6a387005c2c90b9d6a25ca6e5a9c9d3646
Opcode Fuzzy Hash: 12d487df83895102dd1e612601be7724313d6087453ffc2a3adcc457e16aca55
Instruction Fuzzy Hash: 4A311771D01209ABCF15EFA5CC85AEEBBB9FF45300F000029F819A6162D631AA1ACB61

Function 009E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009E365C

Strings

static, xrefs: 009E35BC

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 6a63bb106895e956919b2afe9ba6806ac479ab2e9526625fecf5f94e7cb499b8
Instruction ID: 6553cebd5f491692843c0cea567b3accbf8a09e74c562f899a92f1ae9bc57f0c
Opcode Fuzzy Hash: 6a63bb106895e956919b2afe9ba6806ac479ab2e9526625fecf5f94e7cb499b8
Instruction Fuzzy Hash: D4318D71110244AEDB11DF79DC85FBB73ADFF88724F009619F8A997280DA31AD82D760

Function 009E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 009E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E4634

Strings

', xrefs: 009E458E

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4fa127f617cc4e3ebdeaeceb5bbfb95d893e27a297613d2a91009268bd5c86dc
Instruction ID: ac86afea76b563b56ec61952cbf7187fb10af415bc867367c9f85695afdfa74b
Opcode Fuzzy Hash: 4fa127f617cc4e3ebdeaeceb5bbfb95d893e27a297613d2a91009268bd5c86dc
Instruction Fuzzy Hash: C9312874A003499FDB15CFAAC980BEA7BB9FF49700F104069E904AB341D770AD41CF90

Function 009E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E3287

Strings

Combobox, xrefs: 009E3249

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8ab31dbb5db83fc9116765c9676653116c37f58654172cab9b157ac6dbc2b9f7
Instruction ID: 395077bdf2c58fd8a6ca6a2393b468a3a7ad6a02a6215a0c65eaefd5c54c7c04
Opcode Fuzzy Hash: 8ab31dbb5db83fc9116765c9676653116c37f58654172cab9b157ac6dbc2b9f7
Instruction Fuzzy Hash: D311B2713002497FEF229F95DC88EBB37AEEB98364F108524FA6897390D6319D519760

Function 009E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0095600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0095604C
Part of subcall function 0095600E: GetStockObject.GDI32(00000011), ref: 00956060
Part of subcall function 0095600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0095606A

GetWindowRect.USER32(00000000,?), ref: 009E377A
GetSysColor.USER32(00000012), ref: 009E3794

Strings

static, xrefs: 009E3757

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 45ad2474063410ac07bdce558ff659237e0832aece66c0c0e73f0e1f11595621
Instruction ID: 611044b9abed5fc13a649fc36ca3e5ec8625ea99189901aaabdf9d9127fd3855
Opcode Fuzzy Hash: 45ad2474063410ac07bdce558ff659237e0832aece66c0c0e73f0e1f11595621
Instruction Fuzzy Hash: C81129B2610249AFDF11DFA9CC49AEA7BB9FB08314F004924F955E3250D735ED51DB50

Function 009CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009CCDA6

Strings

<local>, xrefs: 009CCD66

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6cfb259dab83323c467257f45ab5c2f78b70d0fcc05d9eb028dd39770cacdd16
Instruction ID: b18b405aff7934573a57e54ab135003cf8dad2ec58417e5079babf451c367d5e
Opcode Fuzzy Hash: 6cfb259dab83323c467257f45ab5c2f78b70d0fcc05d9eb028dd39770cacdd16
Instruction Fuzzy Hash: 3011E3F1A15632BAD7244A668C84FE3BEACEB127A4F00462AF10E820C0D2749941D6F1

Function 009E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009E34BA

Strings

edit, xrefs: 009E348F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1dec3a445bf3c5e1fa97be21cd9a7701d426984e5dfdc5192a06e48b0b66c302
Instruction ID: 553ccc1a9e61df189ac64102f4e1430fb67896f915efc5253872f41be525672a
Opcode Fuzzy Hash: 1dec3a445bf3c5e1fa97be21cd9a7701d426984e5dfdc5192a06e48b0b66c302
Instruction Fuzzy Hash: 2411BF71100188ABEB138F66DC88ABB376EEB45378F508724F960971E0D731DD529B50

Function 009B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

CharUpperBuffW.USER32(?,?,?), ref: 009B6CB6
_wcslen.LIBCMT ref: 009B6CC2

Strings

STOP, xrefs: 009B6CBC, 009B6CC1

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 60506f4924f3bd42850287b932cceeef4838061ccea00a9a77028d0423372297
Instruction ID: 4471ca93947b4dcaaa0632415b5cd0474e99daccae72971d9400b77e2d230ec3
Opcode Fuzzy Hash: 60506f4924f3bd42850287b932cceeef4838061ccea00a9a77028d0423372297
Instruction Fuzzy Hash: EA012632A005278BCB209FBDCD919FF37B9EBA0B207000924E99297191EB39FC04C750

Function 009B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009B1D4C

Strings

ComboBox, xrefs: 009B1CEB
ListBox, xrefs: 009B1D16

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f6bb75c860dd917b073eba4d4cd7d55d3c420b290a3fc3e11da867bf5144df72
Instruction ID: c113419485ee70e72a3acd9c34a9d84da434dd2b9488f679d6d4d2cbb825378d
Opcode Fuzzy Hash: f6bb75c860dd917b073eba4d4cd7d55d3c420b290a3fc3e11da867bf5144df72
Instruction Fuzzy Hash: 54012875604218EB9B08EBA0CE61DFE77A8FBC2360B500D09FC62572C1EA30590C8760

Function 009B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 009B1C46

Strings

ComboBox, xrefs: 009B1BE5
ListBox, xrefs: 009B1C10

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d0458d60733c3153ec0db6b08e6aa6ffefbb495129a3bb4e767fcbe224089dde
Instruction ID: 965dbdd2279302c1216c1afa7e1d1cedabb2c868c0e0149f351d0fb054014a80
Opcode Fuzzy Hash: d0458d60733c3153ec0db6b08e6aa6ffefbb495129a3bb4e767fcbe224089dde
Instruction Fuzzy Hash: C201AC75A45108A6DB04E7A0CB63AFF7BAC9B51350F540415AD8667182EA249E0C8771

Function 009B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 009B1CC8

Strings

ComboBox, xrefs: 009B1C69
ListBox, xrefs: 009B1C94

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1d8d3791a1007972347087a514da8300177e58203b52952788f66b0452ad8e34
Instruction ID: 5552ee386638ae87b25d163c04dc154f8de8fbee685272faa0df7e8e0107c633
Opcode Fuzzy Hash: 1d8d3791a1007972347087a514da8300177e58203b52952788f66b0452ad8e34
Instruction Fuzzy Hash: 1D01D6B5A80118A7DB04EBA5CB11BFF7BACAB51350FA40415BC8673282EA209F0CC771

Function 009B1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959CB3: _wcslen.LIBCMT ref: 00959CBD

Part of subcall function 009B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009B3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 009B1DD3

Strings

ComboBox, xrefs: 009B1D75
ListBox, xrefs: 009B1DA0

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bd894c16b925bf47383670132f57ab59696ebb029a5c6ef06e915c12a1590ec6
Instruction ID: 7feb29f342c1f9d8f26d4522835769704eb676f3a8310d2940ea3785837e0cc8
Opcode Fuzzy Hash: bd894c16b925bf47383670132f57ab59696ebb029a5c6ef06e915c12a1590ec6
Instruction Fuzzy Hash: BBF0F475A54218A6DB04E7A4CE62BFF77BCAB81360F840D19BC62632C2EA60590C8360

Function 009D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009D7493
_wcslen.LIBCMT ref: 009D74B9

Strings

3, 3, 16, 1, xrefs: 009D7483

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 8f71418e76299ea4a0afc8d9e9092c24f3f1802c2004b3c4af397f72d6ce3358
Instruction ID: 06780e3fd8a32412ffe5b629a0b5153cab9ac44a74d11c15ddc466514c6bc780
Opcode Fuzzy Hash: 8f71418e76299ea4a0afc8d9e9092c24f3f1802c2004b3c4af397f72d6ce3358
Instruction Fuzzy Hash: 50E02B0324422061923212BA9CC1B7F968EDFC5B90710982BFA89C6377FB948D9193A1

Function 009B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009B0B23

Strings

AutoIt, xrefs: 009B0B17
Error allocating memory., xrefs: 009B0B1C

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: bcc3870d82bc32290a231a8aa82566caa3e329618d7f85026b84a79f416669e1
Instruction ID: 5f475c420bdfa40f318bb72f7b6b29b74974a675feb66cb70c36146facfc366a
Opcode Fuzzy Hash: bcc3870d82bc32290a231a8aa82566caa3e329618d7f85026b84a79f416669e1
Instruction Fuzzy Hash: F4E0D83228435876D21536557C03FC97F889F49B25F100426FBD8954C38BE22C9006A9

Function 00970D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0096F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00970D71,?,?,?,0095100A), ref: 0096F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0095100A), ref: 00970D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0095100A), ref: 00970D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00970D7F

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: fac1e2f048bff15a1fb532641566993627a4d69084102028e4366f1129e7124b
Instruction ID: 2fb3bb54c8bf0085f2663124a78c29b9dca8ba2da6ce5008f3e933d622f288ba
Opcode Fuzzy Hash: fac1e2f048bff15a1fb532641566993627a4d69084102028e4366f1129e7124b
Instruction Fuzzy Hash: 10E06DB02003818FD370DFB9E4543567BE4AB90744F00892DE896CA795DBB0E8498B91

Function 009C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 009C302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 009C3044

Strings

aut, xrefs: 009C3038

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5cf26e11848f23724dc5e25c9a39c6f319294ab6046fdd77fff0137c76b3077c
Instruction ID: d80fd4da982593b65e52accf7aa96c7caec9c7f412651bff5e5b778bd0622177
Opcode Fuzzy Hash: 5cf26e11848f23724dc5e25c9a39c6f319294ab6046fdd77fff0137c76b3077c
Instruction Fuzzy Hash: 87D05BB150032477DA2097949C4DFC73A6CEB04751F0005517795D6195DAB0D985CAD0

Function 009AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009AD220

Strings

%.3d, xrefs: 009AD22B
X64, xrefs: 009AD2A8

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 5d768f07013083dab2fb97d0fd107f3c28879b3eec6597bc8fee3b7314ba3f24
Instruction ID: 58b8409b6545d0fb8777b12b61b91123d1d8cd8b14d0e9d5b2d113a0e96d0514
Opcode Fuzzy Hash: 5d768f07013083dab2fb97d0fd107f3c28879b3eec6597bc8fee3b7314ba3f24
Instruction Fuzzy Hash: B7D062A1C0A119E9CB5096E0DC45AF9B37CBB59341F548C52FD27A1440D62CD549E7A1

Function 009E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009E233F

Part of subcall function 009BE97B: Sleep.KERNEL32 ref: 009BE9F3

Strings

Shell_TrayWnd, xrefs: 009E2325

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 62ca99f1b51759a5515e2e0a59d109ebda24a6fb1b9f5d8e5ac3a40423308cca
Instruction ID: d972308c61d83a98b3f05bdc74814183c3b54e77bc31d7d919fdcca3d1930626
Opcode Fuzzy Hash: 62ca99f1b51759a5515e2e0a59d109ebda24a6fb1b9f5d8e5ac3a40423308cca
Instruction Fuzzy Hash: 0BD0C9763A9350BAE664A7709C4FFC66A18AB40B10F0049167685AA1D0C9A0A8469A58

Function 009E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E236C
PostMessageW.USER32(00000000), ref: 009E2373

Part of subcall function 009BE97B: Sleep.KERNEL32 ref: 009BE9F3

Strings

Shell_TrayWnd, xrefs: 009E2365

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b5ec0fc71cbb7598a3ab7ea69b4bf8b83c0bb3dd1698933d1c8d79f8f57f2e49
Instruction ID: 90194114ca1b8cf8222e7e26588b072fe60efd11a6bab25fe275262c82ab27f1
Opcode Fuzzy Hash: b5ec0fc71cbb7598a3ab7ea69b4bf8b83c0bb3dd1698933d1c8d79f8f57f2e49
Instruction Fuzzy Hash: 24D0C976399350BAE664A7709C4FFC66618AB44B10F0049167685EA1D0C9A0B8469A58

Function 0098BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0098BE93
GetLastError.KERNEL32 ref: 0098BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0098BEFC

Memory Dump Source

Source File: 00000000.00000002.1864730252.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1864709622.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.00000000009EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864794074.0000000000A12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864839872.0000000000A1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1864860635.0000000000A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c5386a66d3fe63636a33d7ac08e38e65e3e233f0bdc6174cafc5987c655b227e
Instruction ID: 9205bb88d067005f7541fa2f08e8408e2340ce833d6fb54e42d153ab38cff728
Opcode Fuzzy Hash: c5386a66d3fe63636a33d7ac08e38e65e3e233f0bdc6174cafc5987c655b227e
Instruction Fuzzy Hash: 1141E935604206AFCF21BF65CC54BBA7BA9EF42710F284169FA599B3A2DB309D01DB50

Analysis Process: firefox.exePID: 7568, Parent PID: 7860COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001F42A1B9C37 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001F42A1B9C5C

Memory Dump Source

Source File: 00000010.00000002.3054810204.000001F42A1B6000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F42A1B6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1f42a1b6000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: e019f500331b0e7415c103c4ace031c1bf7ddd82aa9ff693a2afaf3de2515967
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 63A3D331614A498BDB2DDF28DC857FA73E5FB95310F04463EED4AC7291DB30EA468A81

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1959796413.0000014EEFB6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942019678.0000014EF048F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2004959132.0000014EF076F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2004959132.0000014EF076F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2067226828.0000014EF7AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2059226858.0000014EF7AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2031343559.0000014EF7AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2099095328.0000014EF08C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2098136061.0000014EF09A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010346062.0000014EFAEBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010346062.0000014EFAE10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2010346062.0000014EFAEBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2067226828.0000014EF7AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2059226858.0000014EF7AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2095395798.0000014EF0CA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2099095328.0000014EF08C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2098136061.0000014EF09A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010346062.0000014EFAEBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010346062.0000014EFAE10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2010346062.0000014EFAEBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3051703713.000001F429D0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3051536611.000001B27950C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3051703713.000001F429D0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3051536611.000001B27950C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3051703713.000001F429D0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3051536611.000001B27950C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2004959132.0000014EF076F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2067226828.0000014EF7AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2010346062.0000014EFAE10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2059226858.0000014EF7AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2099095328.0000014EF08C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2099457230.0000014EF00D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2098136061.0000014EF09A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010346062.0000014EFAE10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2056304003.0000014EFAE10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2034637295.0000014EF0ECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49781 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfbc8475-05d4-4163-af93-87d0c3f1feb8.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfbc8475-05d4-4163-af93-87d0c3f1feb8.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre