Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562130
MD5:	0e2fc9b36d332fa942b2d7f9fdf25acd
SHA1:	58c53e720ac23f2d2e0b6ed5d465169444eed15a
SHA256:	f2db82dd018315d2b557e4d5b52c281aec951d65c21895a7650bc73e4d63a9b5
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0E2FC9B36D332FA942B2D7F9FDF25ACD)

taskkill.exe (PID: 7320 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7484 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7556 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7620 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7684 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7740 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7772 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7792 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8000 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2128 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5001cba-8597-4352-a3c0-51983316fda4} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a69206e510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7708 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20230927232528 -prefsHandle 4036 -prefMapHandle 1812 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b588b09-fe46-4510-a1fc-1bacfcafc118} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a6a9e16e10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5348 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5012 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fea274c-9946-4545-8205-312b04a368a8} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a6a36b2510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7304	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0090EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0090EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0090ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0090EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_008FAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00929576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00929576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7c936430-9
Source: file.exe, 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_688ccde7-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_320190a8-9
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_48a23d0c-4

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000185E249A232 NtQuerySystemInformation,		17_2_00000185E249A232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000185E2493CB7 NtQuerySystemInformation,		17_2_00000185E2493CB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_008FD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_008F1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008FE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00902046	0_2_00902046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00898060	0_2_00898060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F8298	0_2_008F8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CE4FF	0_2_008CE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C676B	0_2_008C676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924873	0_2_00924873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BCAA0	0_2_008BCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089CAF0	0_2_0089CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008ACC39	0_2_008ACC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C6DD9	0_2_008C6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008991C0	0_2_008991C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AB119	0_2_008AB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B1394	0_2_008B1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B1706	0_2_008B1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B781B	0_2_008B781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B19B0	0_2_008B19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00897920	0_2_00897920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A997D	0_2_008A997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B7A4A	0_2_008B7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B7CA7	0_2_008B7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B1C77	0_2_008B1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C9EEE	0_2_008C9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091BE44	0_2_0091BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B1F32	0_2_008B1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000185E249A232	17_2_00000185E249A232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000185E2493CB7	17_2_00000185E2493CB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000185E249A95C	17_2_00000185E249A95C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000185E249A272	17_2_00000185E249A272

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00899CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008AF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008B0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: firefox.exe, 0000000C.00000002.2171054841.000002B5AE7F7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp>

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@64/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009037B5 GetLastError,FormatMessageW,

0_2_009037B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F10BF AdjustTokenPrivileges,CloseHandle,		0_2_008F10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008F16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009051CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008FD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0090648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008942A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2337140553.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362470293.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291789156.000002A6ADA95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2337140553.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362470293.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2337140553.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362470293.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2389612252.000002A6A33F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;
Source: firefox.exe, 0000000E.00000003.2337140553.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362470293.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2337140553.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362470293.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2337140553.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362470293.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2337140553.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362470293.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2337140553.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362470293.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2337140553.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362470293.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);
Source: firefox.exe, 0000000E.00000003.2389612252.000002A6A33F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;?

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2128 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5001cba-8597-4352-a3c0-51983316fda4} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a69206e510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20230927232528 -prefsHandle 4036 -prefMapHandle 1812 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b588b09-fe46-4510-a1fc-1bacfcafc118} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a6a9e16e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5012 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fea274c-9946-4545-8205-312b04a368a8} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a6a36b2510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2128 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5001cba-8597-4352-a3c0-51983316fda4} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a69206e510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20230927232528 -prefsHandle 4036 -prefMapHandle 1812 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b588b09-fe46-4510-a1fc-1bacfcafc118} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a6a9e16e10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5012 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fea274c-9946-4545-8205-312b04a368a8} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a6a36b2510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2303114402.000002A6A1B96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2302515939.000002A6A1B8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2303114402.000002A6A1B96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2302515939.000002A6A1B8C000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008942DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B0A76 push ecx; ret

0_2_008B0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008AF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00921C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00921C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97285

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000185E249A232 rdtsc

17_2_00000185E249A232

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008FDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CC2A2 FindFirstFileExW,	0_2_008CC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009068EE FindFirstFileW,FindClose,	0_2_009068EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0090698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008FD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008FD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00909642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00909642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0090979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00909B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00909B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00905C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00905C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008942DE

Source: firefox.exe, 00000011.00000002.3383412056.00000185E1B5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW b9
Source: firefox.exe, 00000012.00000002.3384047082.00000234E489A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`8
Source: firefox.exe, 00000011.00000002.3388406139.00000185E2390000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:/yr
Source: firefox.exe, 00000010.00000002.3384249843.00000167191EA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3388141682.00000234E4C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3388758002.0000016719720000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3388406139.00000185E2390000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: firefox.exe, 00000010.00000002.3384249843.00000167191EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla<
Source: firefox.exe, 00000010.00000002.3389684657.0000016719B40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3388406139.00000185E2390000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000185E249A232 rdtsc

17_2_00000185E249A232

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090EAA2 BlockInput,

0_2_0090EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008C2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008942DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B4CE8 mov eax, dword ptr fs:[00000030h]

0_2_008B4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_008F0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008C2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008B083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B09D5 SetUnhandledExceptionFilter,	0_2_008B09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008B0C21

Source: C:\Users\user\Desktop\file.exe

0_2_008F1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008D2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FB226 SendInput,keybd_event,

0_2_008FB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009122DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_008F0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008F1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2258611354.000002A6AE2D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B0698 cpuid

0_2_008B0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00908195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00908195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008ED27A GetUserNameW,

0_2_008ED27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008CB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_008CB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008942DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7304, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7304, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00911204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00911204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00911806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00911806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://youtube.comZ	firefox.exe, 0000000E.00000003.2355140710.00003BE858404000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3385445962.00000234E4BC6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2390038314.000002A6A33AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2381272663.000002A6ADBFD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2336183666.000002A6ADED9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358230484.000002A6ADBFD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291398529.000002A6ADBFD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362306154.000002A6ADED9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291268239.000002A6ADED9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2314279884.000002A6AA043000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3385636312.00000167195E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3385711421.00000185E1FE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3388407106.00000234E4D08000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3385711421.00000185E1F86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3385445962.00000234E4B91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2224888591.000002A6A3165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2389612252.000002A6A33C2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2388297427.000002A6A3632000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2184463871.000002A6A1D81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184286665.000002A6A1D60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183846702.000002A6A1D1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183688904.000002A6A2000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183986685.000002A6A1D3E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2337140553.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362470293.000002A6AD775000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2292700952.000002A6A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222240809.000002A6A9F77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2337765871.000002A6AB419000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2374290161.000002A6A391E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.2339923464.000002A6A5441000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2184286665.000002A6A1D60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183846702.000002A6A1D1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183688904.000002A6A2000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183986685.000002A6A1D3E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2385037130.000002A6A4968000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293535243.000002A6A9EA0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2337765871.000002A6AB419000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2291398529.000002A6ADBC3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2388647730.000002A6A348B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 00000012.00000002.3385445962.00000234E4B0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2243464172.000002A6A3BDF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2337765871.000002A6AB445000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2389612252.000002A6A33C2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2360091983.000002A6AB7D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382281042.000002A6AB7D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3385445962.00000234E4BC6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2343924125.000002A6A4499000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A4499000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2371695073.000002A6A9A57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2243875585.000002A6A3BC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2321491764.000002A6A35EA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2382281042.000002A6AB7D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2292433134.000002A6AB4EF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3385636312.00000167195E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3385711421.00000185E1FE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3388407106.00000234E4D08000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3385636312.00000167195E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3385711421.00000185E1FE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3388407106.00000234E4D08000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2388297427.000002A6A3632000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3385711421.00000185E1F12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3385445962.00000234E4B13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2389612252.000002A6A33C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000011.00000002.3385210556.00000185E1EF0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2344392291.000002A6A3CEF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2292700952.000002A6A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222240809.000002A6A9F77000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2363321110.000002A6AB422000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337765871.000002A6AB422000.00000004.00000800.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2244066696.000002A6A3BAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2232291599.000002A6A38D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303723347.000002A6A35A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343410288.000002A6A45A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302771043.000002A6A2EC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321491764.000002A6A35E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222240809.000002A6A9FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223061754.000002A6A9A77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253560351.000002A6A3AEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314725381.000002A6A9CE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303723347.000002A6A359A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2356383228.000002A6A38D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242143511.000002A6A38D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2357135331.000002A6A381B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196974093.000002A6A25AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2361064952.000002A6A9F22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343595042.000002A6A4551000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301328799.000002A6A3AEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321491764.000002A6A35D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2322639594.000002A6A35A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314279884.000002A6AA022000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2339923464.000002A6A5441000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2339923464.000002A6A5441000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2361064952.000002A6A9F22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2370714784.000002A6A9F23000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2339923464.000002A6A544C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388647730.000002A6A348B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2339923464.000002A6A544C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388647730.000002A6A348B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2363321110.000002A6AB422000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337765871.000002A6AB422000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2314279884.000002A6AA043000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2224888591.000002A6A3165000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2315972507.000002A6A1F65000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2244066696.000002A6A3BAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2362806813.000002A6AB4B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360528706.000002A6AB4B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337529418.000002A6AB4B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2223061754.000002A6A9AAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363811479.000002A6A9AAA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2243464172.000002A6A3BDF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2315972507.000002A6A1F65000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2360091983.000002A6AB7D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382281042.000002A6AB7D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2363104411.000002A6AB468000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2224888591.000002A6A3165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2389612252.000002A6A33C2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2374290161.000002A6A391E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2374859572.000002A6A36D7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2183986685.000002A6A1D3E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://truecolors.firefox.com/	firefox.exe, 0000000E.00000003.2344392291.000002A6A3CEF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000E.00000003.2322308517.000002A6A35C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184463871.000002A6A1D81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375312583.000002A6A36A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184286665.000002A6A1D60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183846702.000002A6A1D1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183688904.000002A6A2000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183986685.000002A6A1D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303723347.000002A6A35C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.2292700952.000002A6A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222240809.000002A6A9F77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3385049960.0000016719270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3384140726.00000185E1C90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3384913855.00000234E4A00000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562130
Start date and time:	2024-11-25 08:43:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@64/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.209.229.249, 52.27.142.243, 52.32.237.164, 172.217.17.46, 23.200.87.12, 23.200.86.251, 172.217.17.74
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, login.live.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7792 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
02:44:17	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	151.101.130.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	Dl2EmyL53n.doc	Get hash	malicious	Unknown	Browse	185.199.108.133
	RFQ AE 3003910999.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	199.232.192.209
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://sites.google.com/mdisrupt.com/rfp/home	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a7ef4f39-963a-48e0-91c6-e6aad4fd60e4.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.178709245207763
Encrypted:	false
SSDEEP:	192:LKMXy8ncbhbVbTbfbRbObtbyEl7n4r2JA6wnSrDtTkd/SF:LPHcNhnzFSJYr1jnSrDhkd/I
MD5:	C8E8F45BC175F229A693B73DEE5B6C68
SHA1:	BDBFCDC7E8C8933F056913C8BB0861B2FE8F7BFA
SHA-256:	A7DBE4DF80A2F24078046DAB53344C442F64E6E66F4D7B57426CA91DC01D042C
SHA-512:	D9D7DB4E791427EF86B6EFF93DD03625F056F77B137F28903E4CFD7B68EF92752E62E30828DCC4DBF4ED74678E0E02361B6F9FA93DF446289868085F0687855B
Malicious:	false
Preview:	{"type":"uninstall","id":"a7ef4f39-963a-48e0-91c6-e6aad4fd60e4","creationDate":"2024-11-25T09:24:56.810Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a7ef4f39-963a-48e0-91c6-e6aad4fd60e4.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.178709245207763
Encrypted:	false
SSDEEP:	192:LKMXy8ncbhbVbTbfbRbObtbyEl7n4r2JA6wnSrDtTkd/SF:LPHcNhnzFSJYr1jnSrDhkd/I
MD5:	C8E8F45BC175F229A693B73DEE5B6C68
SHA1:	BDBFCDC7E8C8933F056913C8BB0861B2FE8F7BFA
SHA-256:	A7DBE4DF80A2F24078046DAB53344C442F64E6E66F4D7B57426CA91DC01D042C
SHA-512:	D9D7DB4E791427EF86B6EFF93DD03625F056F77B137F28903E4CFD7B68EF92752E62E30828DCC4DBF4ED74678E0E02361B6F9FA93DF446289868085F0687855B
Malicious:	false
Preview:	{"type":"uninstall","id":"a7ef4f39-963a-48e0-91c6-e6aad4fd60e4","creationDate":"2024-11-25T09:24:56.810Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9225209212387515
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNh9Nxeln:8S+OVPUFRbOdwNIOdYpjvY1Q6L6H8P
MD5:	6BA4784AF3259EF635203E21DF92F0D9
SHA1:	395A8AB81C165E323BDE4CBA0D16DEE18AEE64A8
SHA-256:	7FE6A7097AC3E29A03AA8938CDD53D97A16076E2977656470270CDAFB8B18FAE
SHA-512:	C42AD131AF3AB69E13F1BF3036603BF333FFB08C9A2B4D5837123EEE6F6A336FD69F9FF253E325733B5F59FB83A7CD3F1E0A6B232C53076E5137914BAA302DDE
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9225209212387515
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNh9Nxeln:8S+OVPUFRbOdwNIOdYpjvY1Q6L6H8P
MD5:	6BA4784AF3259EF635203E21DF92F0D9
SHA1:	395A8AB81C165E323BDE4CBA0D16DEE18AEE64A8
SHA-256:	7FE6A7097AC3E29A03AA8938CDD53D97A16076E2977656470270CDAFB8B18FAE
SHA-512:	C42AD131AF3AB69E13F1BF3036603BF333FFB08C9A2B4D5837123EEE6F6A336FD69F9FF253E325733B5F59FB83A7CD3F1E0A6B232C53076E5137914BAA302DDE
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.073247377723392
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiP:DLhesh7Owd4+jiP
MD5:	3D425DC2781BB11D65A9DF522718FB6F
SHA1:	459925FBC71D0E3F3CFDFF1759C3530EC5DE4D3B
SHA-256:	569DF1806602B72DBEFC90AD65299C75E37E54DFB0B2C0465371254EEF94392D
SHA-512:	03137BD037DB5E3AFC9D26B546C59E05A4D0A99CF73A40F2C38F0708C3C803FD18619A4CE86E7BF3DCF888855D5421F1769C1E70D93796DD62595EEE83545F74
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035455806264726504
Encrypted:	false
SSDEEP:	3:GtlstFw6TicJWhYlltlstFw6TicJWrD89//alEl:GtWty6TicwKtWty6TicwX89XuM
MD5:	2ACBE8282789430A38F1339303562075
SHA1:	0D89D8E3986F3DCF3E94D6D2389BC3C7092289E0
SHA-256:	CA84A99FC39EC39BE693A7A6197B44277F5E9C1BB13A630A05B6671848D7870C
SHA-512:	3FBAD594E3B7164696772666C81882406F5AE87AAD79077507131F42F5966754DFE86D32052B2A6165A2AB1A38106EC41DC6F19531CBE9B5F6972A084652D7A3
Malicious:	false
Preview:	..-.....................g..`....G8{..-p.5..gY.V..-.....................g..`....G8{..-p.5..gY.V........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03981332616593857
Encrypted:	false
SSDEEP:	3:Ol1mZ9plglfidoIol8rEXsxdwhml8XW3R2:K4YwCl8dMhm93w
MD5:	00FD2022BDD653E3EB9CAB6E52CF466B
SHA1:	273D8B7B50F4B298B0F6D4F94F6A2148BA05493C
SHA-256:	4BA90504B47DB4B9AD66488E183EF71A926D819074071C8B4C2D0DF1FE9E815A
SHA-512:	49AD4EADEF533A6422BA658BB143AAFC88BB66B9D7E6687EE8E534CD5266BD6BF006B3F4D03F68A1590C8281FA059471F7648FB711CBF5867B05DC490C4E219B
Malicious:	false
Preview:	7....-..........G8{..-p..B;ZM.@.........G8{..-p.`..g...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.476838376352522
Encrypted:	false
SSDEEP:	192:ynPOeRnLYbBp66J0aX+e6SEXKbEUNSa5RHWNBw8d5Sl:wDebJUFy1ZHEwO0
MD5:	56A728BEC0CAA3C0B0B4DB578BB0C19B
SHA1:	C0C4D14CC8907AA3BC5C603613B7E761511A314F
SHA-256:	8BF72100CA5CE0203B39286BF7B27D3D9751EC3CCC34FD8406D7153943EB5A22
SHA-512:	91DEAE2570B0C8E9091660F24B0FD40D7C2899CC49D8A69E5E8BBFC75B0D5CF5A8875EE59B1A540FC33CE0D6A1945C2B6A501A8AC6D2220651BA01104BF595B5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732526666);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732526666);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732526666);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173252

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.476838376352522
Encrypted:	false
SSDEEP:	192:ynPOeRnLYbBp66J0aX+e6SEXKbEUNSa5RHWNBw8d5Sl:wDebJUFy1ZHEwO0
MD5:	56A728BEC0CAA3C0B0B4DB578BB0C19B
SHA1:	C0C4D14CC8907AA3BC5C603613B7E761511A314F
SHA-256:	8BF72100CA5CE0203B39286BF7B27D3D9751EC3CCC34FD8406D7153943EB5A22
SHA-512:	91DEAE2570B0C8E9091660F24B0FD40D7C2899CC49D8A69E5E8BBFC75B0D5CF5A8875EE59B1A540FC33CE0D6A1945C2B6A501A8AC6D2220651BA01104BF595B5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732526666);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732526666);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732526666);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173252

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.339405511143963
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSvQLXnIrhpVt/pnxQwRcWT5sKmgb043eHVpjO+FamhujJwO2c0TiV5:GUpOxdypVXnRcoegf3erjxF4Jwc3zBtT
MD5:	FEBFF0A23D57E24280719B29FF3058B3
SHA1:	600CAD9CDABC996A7AF0481A745D47F793681C1E
SHA-256:	37BB7E22931E048925102D8074853E5C80703F61D31C82A6E3FB5E02DA5DA88B
SHA-512:	270E76F17E0A9792A0D131A0187B0EDFC42F66DE84ADDF4D85421737D8F92CC4F11888550E74D3A8B61E3CA3A24175DA3990A2E844440D11180271ECEB635A15
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{155e431a-fa2a-4ae6-96c4-dbe1459c37c6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732526671808,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P35635...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...40337,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.339405511143963
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSvQLXnIrhpVt/pnxQwRcWT5sKmgb043eHVpjO+FamhujJwO2c0TiV5:GUpOxdypVXnRcoegf3erjxF4Jwc3zBtT
MD5:	FEBFF0A23D57E24280719B29FF3058B3
SHA1:	600CAD9CDABC996A7AF0481A745D47F793681C1E
SHA-256:	37BB7E22931E048925102D8074853E5C80703F61D31C82A6E3FB5E02DA5DA88B
SHA-512:	270E76F17E0A9792A0D131A0187B0EDFC42F66DE84ADDF4D85421737D8F92CC4F11888550E74D3A8B61E3CA3A24175DA3990A2E844440D11180271ECEB635A15
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{155e431a-fa2a-4ae6-96c4-dbe1459c37c6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732526671808,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P35635...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...40337,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.339405511143963
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSvQLXnIrhpVt/pnxQwRcWT5sKmgb043eHVpjO+FamhujJwO2c0TiV5:GUpOxdypVXnRcoegf3erjxF4Jwc3zBtT
MD5:	FEBFF0A23D57E24280719B29FF3058B3
SHA1:	600CAD9CDABC996A7AF0481A745D47F793681C1E
SHA-256:	37BB7E22931E048925102D8074853E5C80703F61D31C82A6E3FB5E02DA5DA88B
SHA-512:	270E76F17E0A9792A0D131A0187B0EDFC42F66DE84ADDF4D85421737D8F92CC4F11888550E74D3A8B61E3CA3A24175DA3990A2E844440D11180271ECEB635A15
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{155e431a-fa2a-4ae6-96c4-dbe1459c37c6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732526671808,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P35635...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...40337,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029359076949326
Encrypted:	false
SSDEEP:	96:yctMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:UTEr5NX0z3DhRe
MD5:	8F46B1E44F3EF8D75BD128238E14D56B
SHA1:	47336F591A02E039B81124EDBAD247BD1E8DA02B
SHA-256:	CEF3985F557E3EC0A3F00316C3B38934CC797B87714155B26F0AD98E02035E1D
SHA-512:	8E05A9727DC2707245E184994BB16BDD37C8B36CD70941D1319497020652F7F30F8683165F6D02590575181BBB927916A2C952AF199186592812D5988D23B440
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T09:24:12.236Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029359076949326
Encrypted:	false
SSDEEP:	96:yctMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:UTEr5NX0z3DhRe
MD5:	8F46B1E44F3EF8D75BD128238E14D56B
SHA1:	47336F591A02E039B81124EDBAD247BD1E8DA02B
SHA-256:	CEF3985F557E3EC0A3F00316C3B38934CC797B87714155B26F0AD98E02035E1D
SHA-512:	8E05A9727DC2707245E184994BB16BDD37C8B36CD70941D1319497020652F7F30F8683165F6D02590575181BBB927916A2C952AF199186592812D5988D23B440
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T09:24:12.236Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.592822679837985
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'624 bytes
MD5:	0e2fc9b36d332fa942b2d7f9fdf25acd
SHA1:	58c53e720ac23f2d2e0b6ed5d465169444eed15a
SHA256:	f2db82dd018315d2b557e4d5b52c281aec951d65c21895a7650bc73e4d63a9b5
SHA512:	e6013d54f393cb21b257e8d1867275d7ed36bd5eb46105464402b92bd7c81d59ae9bca7f6bb64c7134a80cd7387aedadd06d6857567959575fc741dae5d735e6
SSDEEP:	12288:3qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaXTk:3qDEvCTbMWu7rQYlBQcBiT6rprG8aDk
TLSH:	59159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67442800 [Mon Nov 25 07:32:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F08ED2B4A53h
jmp 00007F08ED2B435Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F08ED2B453Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F08ED2B450Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F08ED2B70FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F08ED2B7148h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F08ED2B7131h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa9d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa9d0	0xaa00	efb8440161223ccd60ef0f85146e1216	False	0.37807904411764703	data	5.658074362636078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1c98	data			1.001502732240437
RT_GROUP_ICON	0xde450	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde4c8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde4dc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde4f0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde504	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde5e0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 08:44:14.988759995 CET	49724	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:14.988807917 CET	443	49724	35.190.72.216	192.168.2.5
Nov 25, 2024 08:44:14.990408897 CET	49724	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:15.004863977 CET	49724	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:15.004884005 CET	443	49724	35.190.72.216	192.168.2.5
Nov 25, 2024 08:44:15.601372957 CET	49725	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:15.601475954 CET	443	49725	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:15.601816893 CET	49725	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:15.603236914 CET	49725	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:15.603291035 CET	443	49725	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:15.732029915 CET	49726	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:15.732062101 CET	443	49726	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:15.735399961 CET	49726	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:15.739564896 CET	49726	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:15.739574909 CET	443	49726	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:15.899121046 CET	49727	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:16.018717051 CET	80	49727	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:16.020704985 CET	49727	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:16.020953894 CET	49727	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:16.140481949 CET	80	49727	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:16.312712908 CET	443	49724	35.190.72.216	192.168.2.5
Nov 25, 2024 08:44:16.325368881 CET	49724	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:16.439595938 CET	49724	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:16.439611912 CET	443	49724	35.190.72.216	192.168.2.5
Nov 25, 2024 08:44:16.439737082 CET	49724	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:16.439886093 CET	443	49724	35.190.72.216	192.168.2.5
Nov 25, 2024 08:44:16.446912050 CET	49724	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:17.106656075 CET	80	49727	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:17.121504068 CET	49732	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:17.121548891 CET	443	49732	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:17.121772051 CET	49732	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:17.121855021 CET	49732	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:17.121866941 CET	443	49732	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:17.123189926 CET	49733	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:17.123207092 CET	443	49733	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:17.123820066 CET	49733	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:17.125308037 CET	49733	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:17.125324965 CET	443	49733	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:17.137094021 CET	49734	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:17.137145042 CET	443	49734	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:17.137280941 CET	49734	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:17.139077902 CET	49734	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:17.139096022 CET	443	49734	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:17.166954994 CET	49735	443	192.168.2.5	34.160.144.191
Nov 25, 2024 08:44:17.167005062 CET	443	49735	34.160.144.191	192.168.2.5
Nov 25, 2024 08:44:17.167155981 CET	49735	443	192.168.2.5	34.160.144.191
Nov 25, 2024 08:44:17.167287111 CET	49735	443	192.168.2.5	34.160.144.191
Nov 25, 2024 08:44:17.167299032 CET	443	49735	34.160.144.191	192.168.2.5
Nov 25, 2024 08:44:17.191930056 CET	49727	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:17.343379021 CET	443	49725	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.344074011 CET	443	49725	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.346316099 CET	49725	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.346337080 CET	443	49725	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.351372957 CET	49725	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.351392031 CET	443	49725	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.351517916 CET	49725	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.351620913 CET	443	49725	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.352637053 CET	49725	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.380131006 CET	49736	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:17.429457903 CET	443	49726	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.430180073 CET	443	49726	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.433082104 CET	49726	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.433094025 CET	443	49726	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.444128990 CET	49726	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.444139004 CET	443	49726	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.444269896 CET	49726	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.444705009 CET	49737	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.444755077 CET	443	49737	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.444777966 CET	443	49726	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.451375961 CET	49726	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.451395988 CET	49737	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.452819109 CET	49737	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:17.452833891 CET	443	49737	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:17.499819994 CET	80	49736	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:17.499928951 CET	49736	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:17.500288963 CET	49736	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:17.619721889 CET	80	49736	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:18.381372929 CET	443	49735	34.160.144.191	192.168.2.5
Nov 25, 2024 08:44:18.381589890 CET	49735	443	192.168.2.5	34.160.144.191
Nov 25, 2024 08:44:18.382174969 CET	443	49732	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:18.382556915 CET	49732	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:18.384758949 CET	49735	443	192.168.2.5	34.160.144.191
Nov 25, 2024 08:44:18.384768963 CET	443	49735	34.160.144.191	192.168.2.5
Nov 25, 2024 08:44:18.385030031 CET	443	49735	34.160.144.191	192.168.2.5
Nov 25, 2024 08:44:18.387893915 CET	49732	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:18.387908936 CET	443	49732	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:18.388331890 CET	443	49732	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:18.391215086 CET	49735	443	192.168.2.5	34.160.144.191
Nov 25, 2024 08:44:18.391360998 CET	443	49735	34.160.144.191	192.168.2.5
Nov 25, 2024 08:44:18.391529083 CET	49735	443	192.168.2.5	34.160.144.191
Nov 25, 2024 08:44:18.391535997 CET	443	49735	34.160.144.191	192.168.2.5
Nov 25, 2024 08:44:18.391774893 CET	49732	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:18.391827106 CET	49732	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:18.391967058 CET	443	49732	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:18.392079115 CET	49732	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:18.410161018 CET	443	49734	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:18.410231113 CET	49734	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.413914919 CET	49734	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.413925886 CET	443	49734	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:18.414010048 CET	49734	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.414093018 CET	443	49734	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:18.415952921 CET	49734	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.439918041 CET	443	49733	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:18.440005064 CET	49733	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.445002079 CET	49733	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.445015907 CET	443	49733	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:18.445091009 CET	49733	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.445163012 CET	443	49733	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:18.449069023 CET	49733	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.599344015 CET	443	49735	34.160.144.191	192.168.2.5
Nov 25, 2024 08:44:18.599421024 CET	49735	443	192.168.2.5	34.160.144.191
Nov 25, 2024 08:44:18.677365065 CET	80	49736	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:18.743304968 CET	49736	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:18.771332026 CET	49736	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:18.771338940 CET	49727	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:18.806735039 CET	49741	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.806785107 CET	443	49741	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:18.809505939 CET	49742	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:18.809554100 CET	443	49742	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:18.828058004 CET	49741	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.828178883 CET	49742	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:18.829490900 CET	49741	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:18.829511881 CET	443	49741	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:18.830959082 CET	49742	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:18.830976963 CET	443	49742	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:18.860347033 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:18.891112089 CET	80	49736	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:18.891810894 CET	80	49727	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:18.893362045 CET	49736	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:18.893407106 CET	49727	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:18.979898930 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:18.980070114 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:18.980287075 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:19.099724054 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:19.148015976 CET	443	49737	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:19.148044109 CET	443	49737	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:19.148737907 CET	443	49737	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:19.153023005 CET	49737	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:19.153037071 CET	443	49737	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:19.158963919 CET	49737	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:19.158974886 CET	443	49737	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:19.159065962 CET	49737	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:19.159184933 CET	443	49737	142.250.181.78	192.168.2.5
Nov 25, 2024 08:44:19.160157919 CET	49737	443	192.168.2.5	142.250.181.78
Nov 25, 2024 08:44:19.220886946 CET	49749	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:19.220947027 CET	443	49749	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:19.221174002 CET	49749	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:19.222932100 CET	49749	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:19.222948074 CET	443	49749	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:19.298448086 CET	49751	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:19.298497915 CET	443	49751	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:19.310828924 CET	49751	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:19.311165094 CET	49751	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:19.311183929 CET	443	49751	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:19.336060047 CET	49752	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:19.336097002 CET	443	49752	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:19.337261915 CET	49752	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:19.338735104 CET	49752	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:19.338748932 CET	443	49752	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:20.068577051 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:20.091516972 CET	443	49742	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:20.091557026 CET	443	49742	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:20.091655970 CET	49742	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:20.092580080 CET	443	49741	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:20.092597008 CET	443	49741	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:20.092653036 CET	49741	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:20.113013029 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:20.115770102 CET	49742	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:20.115780115 CET	443	49742	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:20.115854025 CET	49742	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:20.115979910 CET	49741	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:20.115988016 CET	443	49741	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:20.116019011 CET	443	49742	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:20.116044044 CET	49741	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:20.116194963 CET	443	49741	34.117.188.166	192.168.2.5
Nov 25, 2024 08:44:20.116199017 CET	49742	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:20.116585970 CET	49741	443	192.168.2.5	34.117.188.166
Nov 25, 2024 08:44:20.483603954 CET	443	49749	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:20.483699083 CET	49749	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:20.492376089 CET	49749	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:20.492389917 CET	443	49749	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:20.492460966 CET	49749	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:20.492572069 CET	443	49749	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:20.492733002 CET	49749	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:20.568908930 CET	443	49751	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:20.568924904 CET	443	49751	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:20.572809935 CET	49751	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:20.575758934 CET	49751	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:20.575773954 CET	443	49751	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:20.576037884 CET	443	49751	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:20.578262091 CET	49751	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:20.578341007 CET	49751	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:20.578423977 CET	443	49751	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:20.578496933 CET	49751	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:20.578512907 CET	49751	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:20.602008104 CET	443	49752	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:20.609287977 CET	49752	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:20.614013910 CET	49752	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:20.614034891 CET	443	49752	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:20.614106894 CET	49752	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:20.614190102 CET	443	49752	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:20.614547014 CET	49752	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:23.414403915 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:23.521781921 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:23.533948898 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:23.534470081 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:23.641371012 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:23.836612940 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:23.885538101 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:23.898849964 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:24.018424988 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:24.666003942 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:24.719099998 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:27.998259068 CET	49771	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:27.998318911 CET	443	49771	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:27.998554945 CET	49772	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:27.998594046 CET	443	49772	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:27.998711109 CET	49771	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:27.998857021 CET	49771	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:27.998873949 CET	443	49771	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:27.998878002 CET	49772	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:27.998986959 CET	49772	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:27.998997927 CET	443	49772	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.000468016 CET	49778	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.000516891 CET	443	49778	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.000716925 CET	49778	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.003236055 CET	49778	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.003269911 CET	443	49778	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.003395081 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:29.122900009 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:29.213502884 CET	443	49772	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.213579893 CET	49772	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.216234922 CET	49772	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.216245890 CET	443	49772	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.216521978 CET	443	49772	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.219047070 CET	49772	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.219165087 CET	49772	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.219230890 CET	443	49772	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.219310045 CET	49772	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.255856037 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:29.259969950 CET	443	49771	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.262336016 CET	49771	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.265017986 CET	49771	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.265028954 CET	443	49771	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.265366077 CET	443	49771	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.267011881 CET	49771	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.267102003 CET	49771	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.267187119 CET	443	49771	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:29.267481089 CET	49771	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.267519951 CET	49771	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:29.326936960 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:29.375034094 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:29.375320911 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:29.459342003 CET	49779	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:29.459410906 CET	443	49779	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:29.459775925 CET	49779	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:29.461381912 CET	49779	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:29.461409092 CET	443	49779	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:29.570352077 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:29.629066944 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:30.259298086 CET	443	49778	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:30.259401083 CET	49778	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:30.644182920 CET	49778	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:30.644215107 CET	443	49778	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:30.644279957 CET	49778	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:30.644512892 CET	443	49778	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:30.647712946 CET	49778	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:30.690367937 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:30.695445061 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:30.719144106 CET	443	49779	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:30.719218016 CET	49779	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:30.724462032 CET	49779	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:30.724478960 CET	443	49779	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:30.724525928 CET	49779	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:30.724634886 CET	443	49779	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:30.725063086 CET	49779	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:30.809848070 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:30.814898968 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:31.009943962 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:31.014277935 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:31.064450979 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:31.064491034 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:31.155107021 CET	49785	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:31.155133009 CET	443	49785	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:31.159609079 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:31.160478115 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:31.161123991 CET	49785	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:31.166171074 CET	49785	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:31.166183949 CET	443	49785	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:31.279138088 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:31.280009031 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:31.474939108 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:31.483143091 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:31.534734011 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:31.534735918 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:31.892718077 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:32.012226105 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:32.216202021 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:32.268100977 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:32.376674891 CET	443	49785	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:32.376816988 CET	49785	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:33.661473036 CET	49785	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:33.661499023 CET	443	49785	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:33.661626101 CET	49785	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:33.661818981 CET	443	49785	34.120.208.123	192.168.2.5
Nov 25, 2024 08:44:33.667009115 CET	49785	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:44:33.752439976 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:33.871922016 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:34.066903114 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:34.070858002 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:34.118113995 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:34.190560102 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:34.394392967 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:34.450253010 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:41.350575924 CET	49808	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:41.350630045 CET	443	49808	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:41.350759983 CET	49808	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:41.352305889 CET	49808	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:41.352323055 CET	443	49808	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:42.563843966 CET	443	49808	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:42.565588951 CET	49808	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:42.570576906 CET	49808	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:42.570586920 CET	443	49808	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:42.570668936 CET	49808	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:42.570748091 CET	443	49808	34.107.243.93	192.168.2.5
Nov 25, 2024 08:44:42.570847034 CET	49808	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:44:42.574204922 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:42.693727016 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:42.772914886 CET	49814	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:42.772965908 CET	443	49814	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:42.778436899 CET	49814	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:42.778598070 CET	49814	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:42.778625965 CET	443	49814	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:42.801501989 CET	49815	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:42.801539898 CET	443	49815	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:42.804003954 CET	49816	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:42.804034948 CET	443	49816	35.190.72.216	192.168.2.5
Nov 25, 2024 08:44:42.810311079 CET	49815	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:42.810414076 CET	49816	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:42.810542107 CET	49815	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:42.810554028 CET	443	49815	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:42.812357903 CET	49816	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:42.812371969 CET	443	49816	35.190.72.216	192.168.2.5
Nov 25, 2024 08:44:42.888655901 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:42.893033981 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:42.948995113 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:42.952047110 CET	49817	443	192.168.2.5	35.201.103.21
Nov 25, 2024 08:44:42.952099085 CET	443	49817	35.201.103.21	192.168.2.5
Nov 25, 2024 08:44:42.952394009 CET	49817	443	192.168.2.5	35.201.103.21
Nov 25, 2024 08:44:42.953943968 CET	49817	443	192.168.2.5	35.201.103.21
Nov 25, 2024 08:44:42.953957081 CET	443	49817	35.201.103.21	192.168.2.5
Nov 25, 2024 08:44:43.013005972 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:43.023639917 CET	49818	443	192.168.2.5	151.101.129.91
Nov 25, 2024 08:44:43.023709059 CET	443	49818	151.101.129.91	192.168.2.5
Nov 25, 2024 08:44:43.024432898 CET	49818	443	192.168.2.5	151.101.129.91
Nov 25, 2024 08:44:43.024579048 CET	49818	443	192.168.2.5	151.101.129.91
Nov 25, 2024 08:44:43.024590015 CET	443	49818	151.101.129.91	192.168.2.5
Nov 25, 2024 08:44:43.216330051 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:43.265513897 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:43.989245892 CET	443	49814	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:43.989330053 CET	49814	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:43.994565010 CET	49814	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:43.994575977 CET	443	49814	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:43.994853020 CET	443	49814	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:43.997863054 CET	49814	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:43.998016119 CET	49814	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:43.998023033 CET	443	49814	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:43.998037100 CET	443	49814	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:44.002651930 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:44.020381927 CET	443	49815	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:44.020402908 CET	443	49815	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:44.020498991 CET	49815	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:44.023607969 CET	49815	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:44.023622990 CET	443	49815	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:44.023906946 CET	443	49815	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:44.026611090 CET	49815	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:44.026758909 CET	49815	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:44.026770115 CET	443	49815	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:44.027043104 CET	49815	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:44.070477009 CET	443	49816	35.190.72.216	192.168.2.5
Nov 25, 2024 08:44:44.071242094 CET	49816	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:44.077253103 CET	49816	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:44.077265024 CET	443	49816	35.190.72.216	192.168.2.5
Nov 25, 2024 08:44:44.077364922 CET	49816	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:44.077486992 CET	443	49816	35.190.72.216	192.168.2.5
Nov 25, 2024 08:44:44.078233004 CET	49816	443	192.168.2.5	35.190.72.216
Nov 25, 2024 08:44:44.122145891 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:44.207330942 CET	443	49814	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:44.207410097 CET	49814	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:44.264246941 CET	443	49817	35.201.103.21	192.168.2.5
Nov 25, 2024 08:44:44.264329910 CET	49817	443	192.168.2.5	35.201.103.21
Nov 25, 2024 08:44:44.270329952 CET	49817	443	192.168.2.5	35.201.103.21
Nov 25, 2024 08:44:44.270342112 CET	443	49817	35.201.103.21	192.168.2.5
Nov 25, 2024 08:44:44.270468950 CET	49817	443	192.168.2.5	35.201.103.21
Nov 25, 2024 08:44:44.270637989 CET	443	49817	35.201.103.21	192.168.2.5
Nov 25, 2024 08:44:44.271292925 CET	49817	443	192.168.2.5	35.201.103.21
Nov 25, 2024 08:44:44.284580946 CET	49821	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:44.284609079 CET	443	49821	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:44.284746885 CET	49821	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:44.284900904 CET	49821	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:44.284913063 CET	443	49821	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:44.288552046 CET	443	49818	151.101.129.91	192.168.2.5
Nov 25, 2024 08:44:44.288634062 CET	49818	443	192.168.2.5	151.101.129.91
Nov 25, 2024 08:44:44.293378115 CET	49818	443	192.168.2.5	151.101.129.91
Nov 25, 2024 08:44:44.293385983 CET	443	49818	151.101.129.91	192.168.2.5
Nov 25, 2024 08:44:44.293786049 CET	443	49818	151.101.129.91	192.168.2.5
Nov 25, 2024 08:44:44.296586037 CET	49818	443	192.168.2.5	151.101.129.91
Nov 25, 2024 08:44:44.296724081 CET	49818	443	192.168.2.5	151.101.129.91
Nov 25, 2024 08:44:44.296788931 CET	443	49818	151.101.129.91	192.168.2.5
Nov 25, 2024 08:44:44.299719095 CET	49818	443	192.168.2.5	151.101.129.91
Nov 25, 2024 08:44:44.305063009 CET	49823	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:44.305099010 CET	443	49823	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:44.305424929 CET	49823	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:44.305524111 CET	49823	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:44.305545092 CET	443	49823	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:44.307753086 CET	49824	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:44.307789087 CET	443	49824	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:44.308367014 CET	49824	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:44.308494091 CET	49824	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:44.308509111 CET	443	49824	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:44.309946060 CET	49825	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:44.309976101 CET	443	49825	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:44.310213089 CET	49825	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:44.310314894 CET	49825	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:44.310329914 CET	443	49825	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:44.317102909 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:44.319355011 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:44.368699074 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:44.438927889 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:44.642859936 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:44.685230970 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:45.500237942 CET	443	49821	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:45.502080917 CET	49821	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:45.506088972 CET	49821	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:45.506094933 CET	443	49821	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:45.506428957 CET	443	49821	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:45.513433933 CET	49821	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:45.513530016 CET	49821	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:45.513818979 CET	443	49821	34.149.100.209	192.168.2.5
Nov 25, 2024 08:44:45.514621973 CET	49821	443	192.168.2.5	34.149.100.209
Nov 25, 2024 08:44:45.519570112 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:45.607475996 CET	443	49823	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.610718966 CET	443	49824	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.612746000 CET	443	49825	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.615353107 CET	443	49823	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.617026091 CET	49823	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.619151115 CET	49823	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.619168997 CET	49824	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.619173050 CET	49825	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.620285988 CET	49823	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.620292902 CET	443	49823	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.620599031 CET	443	49823	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.622749090 CET	49825	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.622756958 CET	443	49825	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.622996092 CET	443	49825	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.624952078 CET	49824	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.624979019 CET	443	49824	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.625226021 CET	443	49824	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.629484892 CET	49823	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.629507065 CET	49825	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.629616022 CET	49823	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.629645109 CET	443	49825	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.629659891 CET	443	49823	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.629678011 CET	49825	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.629688978 CET	443	49825	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.630187035 CET	49824	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.630243063 CET	49824	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.630345106 CET	443	49824	35.244.181.201	192.168.2.5
Nov 25, 2024 08:44:45.630469084 CET	49823	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.630486965 CET	49824	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.630492926 CET	49825	443	192.168.2.5	35.244.181.201
Nov 25, 2024 08:44:45.639416933 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:45.835011959 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:45.840161085 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:45.888705969 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:45.959719896 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:46.163711071 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:46.205204010 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:55.847321033 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:55.966744900 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:44:56.179553986 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:44:56.299119949 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:02.689042091 CET	49871	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:02.689070940 CET	443	49871	34.107.243.93	192.168.2.5
Nov 25, 2024 08:45:02.689553022 CET	49871	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:02.691042900 CET	49871	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:02.691056013 CET	443	49871	34.107.243.93	192.168.2.5
Nov 25, 2024 08:45:03.946803093 CET	443	49871	34.107.243.93	192.168.2.5
Nov 25, 2024 08:45:03.946876049 CET	49871	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:03.951664925 CET	49871	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:03.951680899 CET	443	49871	34.107.243.93	192.168.2.5
Nov 25, 2024 08:45:03.951745987 CET	49871	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:03.951807976 CET	443	49871	34.107.243.93	192.168.2.5
Nov 25, 2024 08:45:03.953351974 CET	49871	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:03.954821110 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:04.074266911 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:04.271169901 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:04.274488926 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:04.316505909 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:04.394244909 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:04.598227978 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:04.648591995 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:13.826163054 CET	49898	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:13.826188087 CET	443	49898	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:13.826329947 CET	49899	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:13.826368093 CET	443	49899	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:13.826905012 CET	49898	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:13.826951027 CET	49899	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:13.827063084 CET	49898	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:13.827079058 CET	443	49898	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:13.827248096 CET	49899	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:13.827260017 CET	443	49899	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:14.290751934 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:14.411026001 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:14.601841927 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:14.721456051 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:15.037003040 CET	443	49899	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:15.037698030 CET	49899	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:15.045882940 CET	49899	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:15.045907021 CET	443	49899	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:15.046188116 CET	443	49899	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:15.048583984 CET	49899	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:15.048696995 CET	49899	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:15.048759937 CET	443	49899	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:15.051548958 CET	49899	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:15.053436041 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:15.084979057 CET	443	49898	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:15.085330009 CET	49898	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:15.088548899 CET	49898	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:15.088557959 CET	443	49898	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:15.088860989 CET	443	49898	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:15.091068029 CET	49898	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:15.091164112 CET	49898	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:15.091325045 CET	443	49898	34.120.208.123	192.168.2.5
Nov 25, 2024 08:45:15.092061043 CET	49898	443	192.168.2.5	34.120.208.123
Nov 25, 2024 08:45:15.172878981 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:15.367846966 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:15.371589899 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:15.418062925 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:15.491107941 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:15.537508011 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:15.697990894 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:15.733640909 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:15.737088919 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:15.774039030 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:15.856698036 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:16.061059952 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:16.106194973 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:25.742943048 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:25.862397909 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:26.075160980 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:26.194621086 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:35.873625040 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:35.993127108 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:36.205432892 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:36.324928999 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:45.125538111 CET	49970	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:45.125592947 CET	443	49970	34.107.243.93	192.168.2.5
Nov 25, 2024 08:45:45.126010895 CET	49970	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:45.127585888 CET	49970	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:45.127602100 CET	443	49970	34.107.243.93	192.168.2.5
Nov 25, 2024 08:45:46.002281904 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:46.121824026 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:46.334395885 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:46.564908028 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:46.566436052 CET	443	49970	34.107.243.93	192.168.2.5
Nov 25, 2024 08:45:46.566523075 CET	49970	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:46.572424889 CET	49970	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:46.572438002 CET	443	49970	34.107.243.93	192.168.2.5
Nov 25, 2024 08:45:46.572525024 CET	49970	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:46.572608948 CET	443	49970	34.107.243.93	192.168.2.5
Nov 25, 2024 08:45:46.572774887 CET	49970	443	192.168.2.5	34.107.243.93
Nov 25, 2024 08:45:46.575637102 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:46.695199966 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:46.890346050 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:46.894304991 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:46.936142921 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:47.014105082 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:47.217842102 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:47.274820089 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:56.902024031 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:57.021553993 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:45:57.218640089 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:45:57.338310957 CET	80	49759	34.107.221.82	192.168.2.5
Nov 25, 2024 08:46:07.031847000 CET	49743	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:46:07.151346922 CET	80	49743	34.107.221.82	192.168.2.5
Nov 25, 2024 08:46:07.347888947 CET	49759	80	192.168.2.5	34.107.221.82
Nov 25, 2024 08:46:07.467520952 CET	80	49759	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 08:44:14.989569902 CET	54976	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:15.226279974 CET	53	54976	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:15.227180958 CET	55210	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:15.365273952 CET	53	55210	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:15.462954998 CET	57084	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:15.463488102 CET	51112	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:15.600349903 CET	53	51112	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:15.601627111 CET	51704	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:15.604672909 CET	61021	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:15.738503933 CET	53	51704	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:15.742208004 CET	53	61021	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:15.751894951 CET	56908	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:15.755095959 CET	51940	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:15.889015913 CET	53	56908	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:15.892429113 CET	53	51940	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:16.983752012 CET	56215	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:16.996145010 CET	54899	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.027647018 CET	59276	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.121751070 CET	53	56215	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.122699022 CET	53167	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.123750925 CET	60294	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.132920027 CET	53	54899	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.137228966 CET	56736	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.165668964 CET	53	59276	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.188993931 CET	61004	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.239213943 CET	61401	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.239924908 CET	54725	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.260387897 CET	53	53167	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.260974884 CET	53	60294	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.261691093 CET	53362	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.261935949 CET	52816	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.276060104 CET	53	56736	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.277021885 CET	58677	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.325987101 CET	53	61004	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.337177038 CET	57539	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.378087997 CET	53	61401	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.398544073 CET	53	53362	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.398977041 CET	53	52816	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.399821043 CET	52881	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.414493084 CET	53	58677	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.538266897 CET	53	52881	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.539729118 CET	63775	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:17.678685904 CET	53	63775	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.942090034 CET	53	61551	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:17.985317945 CET	52897	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:18.122642040 CET	53	52897	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:18.124166012 CET	49225	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:18.261851072 CET	53	49225	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:18.269993067 CET	51683	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:18.406469107 CET	53	51683	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:19.176584005 CET	50878	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:19.220783949 CET	59179	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:19.315076113 CET	53	50878	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:19.355839968 CET	56432	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:19.358236074 CET	53	59179	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:19.391612053 CET	57591	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:19.493318081 CET	53	56432	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:19.497775078 CET	63447	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:19.529973030 CET	53	57591	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:19.636965036 CET	53	63447	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:23.410654068 CET	52497	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:23.549491882 CET	53	52497	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:23.908401012 CET	54348	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:24.046401024 CET	53	54348	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:24.169846058 CET	64698	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:24.308211088 CET	53	64698	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:27.858889103 CET	61254	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:27.996161938 CET	53	61254	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:29.462421894 CET	64437	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:29.599430084 CET	53	64437	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:30.690311909 CET	62124	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:30.691307068 CET	54248	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:30.691612959 CET	54106	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:30.828228951 CET	53	62124	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:30.828366041 CET	53	54248	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:30.830066919 CET	53	54106	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:31.152597904 CET	58560	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:31.152868986 CET	64337	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:31.153086901 CET	53481	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:31.290343046 CET	53	53481	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:31.290630102 CET	53	58560	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:31.294269085 CET	50235	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:31.294409990 CET	62115	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:31.294768095 CET	53	64337	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:31.295380116 CET	50499	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:31.431220055 CET	53	62115	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:31.432183027 CET	54850	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:31.433374882 CET	53	50499	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:31.434048891 CET	64586	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:31.502635956 CET	53	50235	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:31.569051981 CET	53	54850	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:31.570724010 CET	53	64586	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:31.876157999 CET	56716	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:31.876513004 CET	63857	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:32.014290094 CET	53	56716	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:32.014360905 CET	53	63857	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:32.015094042 CET	54163	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:32.015094042 CET	60503	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:32.152160883 CET	53	60503	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:32.230954885 CET	53	54163	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:41.351373911 CET	50441	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:41.489345074 CET	53	50441	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:42.774039030 CET	54413	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:42.793380976 CET	64304	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:42.812877893 CET	62412	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:42.916234016 CET	53	54413	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:42.950790882 CET	53	62412	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:42.952311039 CET	49838	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:43.018479109 CET	53	64304	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:43.024363041 CET	49499	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:43.091752052 CET	53	49838	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:43.092694998 CET	61358	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:43.161863089 CET	53	49499	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:43.162856102 CET	51179	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:44:43.229733944 CET	53	61358	1.1.1.1	192.168.2.5
Nov 25, 2024 08:44:43.394514084 CET	53	51179	1.1.1.1	192.168.2.5
Nov 25, 2024 08:45:02.689636946 CET	57408	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:45:02.827284098 CET	53	57408	1.1.1.1	192.168.2.5
Nov 25, 2024 08:45:03.955568075 CET	64643	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:45:13.825212955 CET	53508	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:45:13.962280989 CET	53	53508	1.1.1.1	192.168.2.5
Nov 25, 2024 08:45:44.986903906 CET	62184	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:45:45.124231100 CET	53	62184	1.1.1.1	192.168.2.5
Nov 25, 2024 08:45:45.125940084 CET	56155	53	192.168.2.5	1.1.1.1
Nov 25, 2024 08:45:45.262799025 CET	53	56155	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 08:44:14.989569902 CET	192.168.2.5	1.1.1.1	0xb845	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.227180958 CET	192.168.2.5	1.1.1.1	0xe8c0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 08:44:15.462954998 CET	192.168.2.5	1.1.1.1	0x4d25	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.463488102 CET	192.168.2.5	1.1.1.1	0x5fbe	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.601627111 CET	192.168.2.5	1.1.1.1	0x4c29	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.604672909 CET	192.168.2.5	1.1.1.1	0x5c6a	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.751894951 CET	192.168.2.5	1.1.1.1	0xe0d9	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:15.755095959 CET	192.168.2.5	1.1.1.1	0x6cbd	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 08:44:16.983752012 CET	192.168.2.5	1.1.1.1	0x8495	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:16.996145010 CET	192.168.2.5	1.1.1.1	0xf0d0	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.027647018 CET	192.168.2.5	1.1.1.1	0x342e	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.122699022 CET	192.168.2.5	1.1.1.1	0x1546	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.123750925 CET	192.168.2.5	1.1.1.1	0x3c13	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.137228966 CET	192.168.2.5	1.1.1.1	0x2443	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.188993931 CET	192.168.2.5	1.1.1.1	0x24db	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.239213943 CET	192.168.2.5	1.1.1.1	0x10e0	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.239924908 CET	192.168.2.5	1.1.1.1	0xb2ae	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.261691093 CET	192.168.2.5	1.1.1.1	0xb9fc	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:17.261935949 CET	192.168.2.5	1.1.1.1	0x65b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 08:44:17.277021885 CET	192.168.2.5	1.1.1.1	0x104d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 08:44:17.337177038 CET	192.168.2.5	1.1.1.1	0xef37	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.399821043 CET	192.168.2.5	1.1.1.1	0xc9	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.539729118 CET	192.168.2.5	1.1.1.1	0xa612	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 08:44:17.985317945 CET	192.168.2.5	1.1.1.1	0xd21e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:18.124166012 CET	192.168.2.5	1.1.1.1	0x1164	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:18.269993067 CET	192.168.2.5	1.1.1.1	0x70a4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:19.176584005 CET	192.168.2.5	1.1.1.1	0x810a	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:19.220783949 CET	192.168.2.5	1.1.1.1	0x9227	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:19.355839968 CET	192.168.2.5	1.1.1.1	0x926	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:19.391612053 CET	192.168.2.5	1.1.1.1	0xab65	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:19.497775078 CET	192.168.2.5	1.1.1.1	0x3439	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 08:44:23.410654068 CET	192.168.2.5	1.1.1.1	0x9c29	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:23.908401012 CET	192.168.2.5	1.1.1.1	0x2649	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:24.169846058 CET	192.168.2.5	1.1.1.1	0x90d0	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 08:44:27.858889103 CET	192.168.2.5	1.1.1.1	0x9eea	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:29.462421894 CET	192.168.2.5	1.1.1.1	0x845	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:30.690311909 CET	192.168.2.5	1.1.1.1	0x198b	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.691307068 CET	192.168.2.5	1.1.1.1	0x95e2	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.691612959 CET	192.168.2.5	1.1.1.1	0xf26d	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.152597904 CET	192.168.2.5	1.1.1.1	0xf0ef	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.152868986 CET	192.168.2.5	1.1.1.1	0xf339	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.153086901 CET	192.168.2.5	1.1.1.1	0x26a0	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.294269085 CET	192.168.2.5	1.1.1.1	0xcb1c	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 25, 2024 08:44:31.294409990 CET	192.168.2.5	1.1.1.1	0x57b5	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:31.295380116 CET	192.168.2.5	1.1.1.1	0x70ba	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:31.432183027 CET	192.168.2.5	1.1.1.1	0x7036	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.434048891 CET	192.168.2.5	1.1.1.1	0xfc4f	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.876157999 CET	192.168.2.5	1.1.1.1	0xe04f	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.876513004 CET	192.168.2.5	1.1.1.1	0x3b24	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:32.015094042 CET	192.168.2.5	1.1.1.1	0xb299	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 25, 2024 08:44:32.015094042 CET	192.168.2.5	1.1.1.1	0xf537	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:41.351373911 CET	192.168.2.5	1.1.1.1	0x4c4b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:42.774039030 CET	192.168.2.5	1.1.1.1	0xcb8a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 08:44:42.793380976 CET	192.168.2.5	1.1.1.1	0x4395	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:42.812877893 CET	192.168.2.5	1.1.1.1	0x3367	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:42.952311039 CET	192.168.2.5	1.1.1.1	0x381b	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.024363041 CET	192.168.2.5	1.1.1.1	0xc766	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.092694998 CET	192.168.2.5	1.1.1.1	0x6cdc	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 08:44:43.162856102 CET	192.168.2.5	1.1.1.1	0x2344	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 25, 2024 08:45:02.689636946 CET	192.168.2.5	1.1.1.1	0xd305	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 08:45:03.955568075 CET	192.168.2.5	1.1.1.1	0x4970	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:45:13.825212955 CET	192.168.2.5	1.1.1.1	0x1ff6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 08:45:44.986903906 CET	192.168.2.5	1.1.1.1	0x8585	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:45:45.125940084 CET	192.168.2.5	1.1.1.1	0x2404	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 08:44:14.952997923 CET	1.1.1.1	192.168.2.5	0x7422	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.226279974 CET	1.1.1.1	192.168.2.5	0xb845	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.600349903 CET	1.1.1.1	192.168.2.5	0x5fbe	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.602675915 CET	1.1.1.1	192.168.2.5	0x4d25	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:15.602675915 CET	1.1.1.1	192.168.2.5	0x4d25	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.738503933 CET	1.1.1.1	192.168.2.5	0x4c29	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.742208004 CET	1.1.1.1	192.168.2.5	0x5c6a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:15.889015913 CET	1.1.1.1	192.168.2.5	0xe0d9	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 25, 2024 08:44:15.892429113 CET	1.1.1.1	192.168.2.5	0x6cbd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 08:44:17.120429993 CET	1.1.1.1	192.168.2.5	0x2363	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:17.120429993 CET	1.1.1.1	192.168.2.5	0x2363	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.121751070 CET	1.1.1.1	192.168.2.5	0x8495	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.132920027 CET	1.1.1.1	192.168.2.5	0xf0d0	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:17.132920027 CET	1.1.1.1	192.168.2.5	0xf0d0	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.165668964 CET	1.1.1.1	192.168.2.5	0x342e	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:17.165668964 CET	1.1.1.1	192.168.2.5	0x342e	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:17.165668964 CET	1.1.1.1	192.168.2.5	0x342e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.260387897 CET	1.1.1.1	192.168.2.5	0x1546	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.260974884 CET	1.1.1.1	192.168.2.5	0x3c13	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.276060104 CET	1.1.1.1	192.168.2.5	0x2443	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.325987101 CET	1.1.1.1	192.168.2.5	0x24db	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.378087997 CET	1.1.1.1	192.168.2.5	0x10e0	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.378087997 CET	1.1.1.1	192.168.2.5	0x10e0	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.378663063 CET	1.1.1.1	192.168.2.5	0xb2ae	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:17.378663063 CET	1.1.1.1	192.168.2.5	0xb2ae	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.538266897 CET	1.1.1.1	192.168.2.5	0xc9	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:17.570645094 CET	1.1.1.1	192.168.2.5	0xef37	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:17.678685904 CET	1.1.1.1	192.168.2.5	0xa612	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 08:44:18.122642040 CET	1.1.1.1	192.168.2.5	0xd21e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:18.261851072 CET	1.1.1.1	192.168.2.5	0x1164	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:19.219571114 CET	1.1.1.1	192.168.2.5	0x40	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:19.289143085 CET	1.1.1.1	192.168.2.5	0x77ea	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:19.289143085 CET	1.1.1.1	192.168.2.5	0x77ea	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:19.315076113 CET	1.1.1.1	192.168.2.5	0x810a	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:19.315076113 CET	1.1.1.1	192.168.2.5	0x810a	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:19.358236074 CET	1.1.1.1	192.168.2.5	0x9227	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:19.493318081 CET	1.1.1.1	192.168.2.5	0x926	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:23.549491882 CET	1.1.1.1	192.168.2.5	0x9c29	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:23.549491882 CET	1.1.1.1	192.168.2.5	0x9c29	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:23.549491882 CET	1.1.1.1	192.168.2.5	0x9c29	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:24.046401024 CET	1.1.1.1	192.168.2.5	0x2649	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:28.108128071 CET	1.1.1.1	192.168.2.5	0xe1e7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828228951 CET	1.1.1.1	192.168.2.5	0x198b	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828228951 CET	1.1.1.1	192.168.2.5	0x198b	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828228951 CET	1.1.1.1	192.168.2.5	0x198b	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828228951 CET	1.1.1.1	192.168.2.5	0x198b	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828228951 CET	1.1.1.1	192.168.2.5	0x198b	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828228951 CET	1.1.1.1	192.168.2.5	0x198b	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828228951 CET	1.1.1.1	192.168.2.5	0x198b	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828228951 CET	1.1.1.1	192.168.2.5	0x198b	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828228951 CET	1.1.1.1	192.168.2.5	0x198b	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828228951 CET	1.1.1.1	192.168.2.5	0x198b	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828366041 CET	1.1.1.1	192.168.2.5	0x95e2	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:30.828366041 CET	1.1.1.1	192.168.2.5	0x95e2	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:30.830066919 CET	1.1.1.1	192.168.2.5	0xf26d	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:30.830066919 CET	1.1.1.1	192.168.2.5	0xf26d	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290343046 CET	1.1.1.1	192.168.2.5	0x26a0	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.290630102 CET	1.1.1.1	192.168.2.5	0xf0ef	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.294768095 CET	1.1.1.1	192.168.2.5	0xf339	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.431220055 CET	1.1.1.1	192.168.2.5	0x57b5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 08:44:31.431220055 CET	1.1.1.1	192.168.2.5	0x57b5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 08:44:31.431220055 CET	1.1.1.1	192.168.2.5	0x57b5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 08:44:31.431220055 CET	1.1.1.1	192.168.2.5	0x57b5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 08:44:31.433374882 CET	1.1.1.1	192.168.2.5	0x70ba	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 25, 2024 08:44:31.502635956 CET	1.1.1.1	192.168.2.5	0xcb1c	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 25, 2024 08:44:31.569051981 CET	1.1.1.1	192.168.2.5	0x7036	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:31.569051981 CET	1.1.1.1	192.168.2.5	0x7036	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.569051981 CET	1.1.1.1	192.168.2.5	0x7036	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.569051981 CET	1.1.1.1	192.168.2.5	0x7036	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.569051981 CET	1.1.1.1	192.168.2.5	0x7036	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:31.570724010 CET	1.1.1.1	192.168.2.5	0xfc4f	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:32.014290094 CET	1.1.1.1	192.168.2.5	0xe04f	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:32.014360905 CET	1.1.1.1	192.168.2.5	0x3b24	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:32.014360905 CET	1.1.1.1	192.168.2.5	0x3b24	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:32.014360905 CET	1.1.1.1	192.168.2.5	0x3b24	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:32.014360905 CET	1.1.1.1	192.168.2.5	0x3b24	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:42.950790882 CET	1.1.1.1	192.168.2.5	0x3367	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:42.950790882 CET	1.1.1.1	192.168.2.5	0x3367	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.018479109 CET	1.1.1.1	192.168.2.5	0x4395	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.018479109 CET	1.1.1.1	192.168.2.5	0x4395	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.018479109 CET	1.1.1.1	192.168.2.5	0x4395	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.018479109 CET	1.1.1.1	192.168.2.5	0x4395	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.091752052 CET	1.1.1.1	192.168.2.5	0x381b	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.161863089 CET	1.1.1.1	192.168.2.5	0xc766	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.161863089 CET	1.1.1.1	192.168.2.5	0xc766	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.161863089 CET	1.1.1.1	192.168.2.5	0xc766	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.161863089 CET	1.1.1.1	192.168.2.5	0xc766	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:44:43.394514084 CET	1.1.1.1	192.168.2.5	0x2344	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 08:44:43.394514084 CET	1.1.1.1	192.168.2.5	0x2344	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 08:44:43.394514084 CET	1.1.1.1	192.168.2.5	0x2344	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 08:44:43.394514084 CET	1.1.1.1	192.168.2.5	0x2344	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 08:44:46.242727041 CET	1.1.1.1	192.168.2.5	0xb07f	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:44:46.242727041 CET	1.1.1.1	192.168.2.5	0xb07f	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:45:04.097685099 CET	1.1.1.1	192.168.2.5	0x4970	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:45:04.097685099 CET	1.1.1.1	192.168.2.5	0x4970	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:45:13.821158886 CET	1.1.1.1	192.168.2.5	0xccdb	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:45:45.124231100 CET	1.1.1.1	192.168.2.5	0x8585	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49727	34.107.221.82	80	7792	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:44:16.020953894 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:44:17.106656075 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84259 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49736	34.107.221.82	80	7792	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:44:17.500288963 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:44:18.677365065 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 83101 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49743	34.107.221.82	80	7792	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:44:18.980287075 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:44:20.068577051 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84262 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:44:23.521781921 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:44:23.836612940 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84266 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:44:29.255856037 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:44:29.570352077 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84272 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:44:30.695445061 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:44:31.009943962 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84273 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:44:31.160478115 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:44:31.474939108 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84274 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:44:33.752439976 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:44:34.066903114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84276 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:44:42.574204922 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:44:42.888655901 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84285 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:44:44.002651930 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:44:44.317102909 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84287 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:44:45.519570112 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:44:45.835011959 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84288 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:44:55.847321033 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:45:03.954821110 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:45:04.271169901 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84307 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:45:14.290751934 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:45:15.053436041 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:45:15.367846966 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84318 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:45:15.418062925 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:45:15.733640909 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84318 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:45:25.742943048 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:45:35.873625040 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:45:46.002281904 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:45:46.575637102 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 08:45:46.890346050 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 84349 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 08:45:56.902024031 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:46:07.031847000 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49759	34.107.221.82	80	7792	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:44:23.898849964 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:44:24.666003942 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76188 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:44:29.003395081 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:44:29.326936960 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76193 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:44:30.690367937 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:44:31.014277935 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76194 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:44:31.159609079 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:44:31.483143091 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76195 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:44:31.892718077 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:44:32.216202021 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76196 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:44:34.070858002 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:44:34.394392967 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76198 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:44:42.893033981 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:44:43.216330051 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76207 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:44:44.319355011 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:44:44.642859936 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76208 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:44:45.840161085 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:44:46.163711071 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76210 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:44:56.179553986 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:45:04.274488926 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:45:04.598227978 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76228 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:45:14.601841927 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:45:15.371589899 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:45:15.697990894 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76239 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:45:15.737088919 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:45:16.061059952 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76239 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:45:26.075160980 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:45:36.205432892 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:45:46.334395885 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:45:46.894304991 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 08:45:47.217842102 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 10:34:36 GMT Age: 76271 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 08:45:57.218640089 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 08:46:07.347888947 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	02:44:07
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x890000
File size:	922'624 bytes
MD5 hash:	0E2FC9B36D332FA942B2D7F9FDF25ACD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:44:07
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x2c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:44:07
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:44:09
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x2c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:44:09
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:44:09
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x2c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:44:09
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:44:10
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x2c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:44:10
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:44:10
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x2c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:44:10
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:44:10
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:44:10
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:44:10
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:44:11
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2128 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5001cba-8597-4352-a3c0-51983316fda4} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a69206e510 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	02:44:14
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1816 -parentBuildID 20230927232528 -prefsHandle 4036 -prefMapHandle 1812 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b588b09-fe46-4510-a1fc-1bacfcafc118} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a6a9e16e10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	02:44:18
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5012 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fea274c-9946-4545-8205-312b04a368a8} 7792 "\\.\pipe\gecko-crash-server-pipe.7792" 2a6a36b2510 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1578
Total number of Limit Nodes:	51

Executed Functions

Function 008942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0089430D

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

GetCurrentProcess.KERNEL32(?,0092CB64,00000000,?,?), ref: 00894422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00894429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00894454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00894466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00894474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0089447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008944A0

Strings

|O, xrefs: 008D36F8
kernel32.dll, xrefs: 0089444F
GetNativeSystemInfo, xrefs: 00894460

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: e6e8c91c67a134d179f10efc4d69acff229a1b7af6a45b1ac98273a158b6ebc4
Instruction ID: f5732391b7f7916f72b4b66045ca8a76db5452a8d05cd77d7685daaebd251d07
Opcode Fuzzy Hash: e6e8c91c67a134d179f10efc4d69acff229a1b7af6a45b1ac98273a158b6ebc4
Instruction Fuzzy Hash: 19A1936293E2C4DFCB11EB697C41D997FA4BB36304B0C59AEE043D3B22D2A04545FB66

Function 008942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008950AA,?,?,00000000,00000000), ref: 008942B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008950AA,?,?,00000000,00000000), ref: 008942C9
LoadResource.KERNEL32(?,00000000,?,?,008950AA,?,?,00000000,00000000,?,?,?,?,?,?,00894F20), ref: 008D35BE
SizeofResource.KERNEL32(?,00000000,?,?,008950AA,?,?,00000000,00000000,?,?,?,?,?,?,00894F20), ref: 008D35D3
LockResource.KERNEL32(008950AA,?,?,008950AA,?,?,00000000,00000000,?,?,?,?,?,?,00894F20,?), ref: 008D35E6

Strings

SCRIPT, xrefs: 008942BF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 722cc31f54d79353c35d48fafb97137e8766c9055d1aa4edd18e36e177c37fe4
Instruction ID: 36c29b97b35ca995d8b41e0a6bf7a53ba96efed019272d22a6b135acb64faace
Opcode Fuzzy Hash: 722cc31f54d79353c35d48fafb97137e8766c9055d1aa4edd18e36e177c37fe4
Instruction Fuzzy Hash: C2117CB0204701BFEB219BA5DC48F2B7BB9FFC5B51F248169B412D6650DBB2D8019620

Function 008D2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00892B6B

Part of subcall function 00893A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00961418,?,00892E7F,?,?,?,00000000), ref: 00893A78

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00952224), ref: 008D2C10
ShellExecuteW.SHELL32(00000000,?,?,00952224), ref: 008D2C17

Strings

runas, xrefs: 008D2C0B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a75f137429ccc6e546cb2b92730b78a10589ef22da7d6d48f967a8a05831debf
Instruction ID: f3c11519cd2310dc535d75e961109951e59dc850bcbb0ce3debd2f867ba52f9b
Opcode Fuzzy Hash: a75f137429ccc6e546cb2b92730b78a10589ef22da7d6d48f967a8a05831debf
Instruction Fuzzy Hash: D6119D31208305AACF14FF68D8529BE77E4FBA1355F4C042DF582D21A2DF618A0AA713

Function 008FD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008FD501
Process32FirstW.KERNEL32(00000000,?), ref: 008FD50F
Process32NextW.KERNEL32(00000000,?), ref: 008FD52F
CloseHandle.KERNELBASE(00000000), ref: 008FD5DC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f7564788a8623a3ced59afcd2ab383a6ecd7bc77a7f37527d27a8fa2b6111f61
Instruction ID: 398ecf5a17fa2f65301f8d9c8fb95b680798aadac7fd1883f329b4a97e9c5771
Opcode Fuzzy Hash: f7564788a8623a3ced59afcd2ab383a6ecd7bc77a7f37527d27a8fa2b6111f61
Instruction Fuzzy Hash: 8E318F710083049FD704EF68C881ABEBBE8FF99354F14092DF681C21A1EB61A949CB93

Function 008FDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,008D5222), ref: 008FDBCE
GetFileAttributesW.KERNELBASE(?), ref: 008FDBDD
FindFirstFileW.KERNEL32(?,?), ref: 008FDBEE
FindClose.KERNEL32(00000000), ref: 008FDBFA

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 476761b6a95da53a900b0d96930a4664c0500f224636899c162111bbe5fa74b5
Instruction ID: 58b7cc83b7dd4f0e6f5f35d57307f20504169087cedfc18db2ddbe18480dcaab
Opcode Fuzzy Hash: 476761b6a95da53a900b0d96930a4664c0500f224636899c162111bbe5fa74b5
Instruction Fuzzy Hash: ABF0A070829A189782306B78AC0E8BE376DEF01334B104702FA76C22E0EBB0995696D5

Function 008B4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008C28E9,?,008B4CBE,008C28E9,009588B8,0000000C,008B4E15,008C28E9,00000002,00000000,?,008C28E9), ref: 008B4D09
TerminateProcess.KERNEL32(00000000,?,008B4CBE,008C28E9,009588B8,0000000C,008B4E15,008C28E9,00000002,00000000,?,008C28E9), ref: 008B4D10
ExitProcess.KERNEL32 ref: 008B4D22

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 28bd50e1700a6f1f7fac639b3f9a6f3593eba117f202f37d4265638c44c2efea
Instruction ID: ac9d2f41ecca913903ecb96a9dd02bd8d3d5196de324e45a7c1de274bfa18a7c
Opcode Fuzzy Hash: 28bd50e1700a6f1f7fac639b3f9a6f3593eba117f202f37d4265638c44c2efea
Instruction Fuzzy Hash: 15E0B671014548ABCF21AF58ED0AE993B69FB41795B148418FC05CA223CB35DD52EB84

Function 0091AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0091B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0091B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0091B1D4
_wcslen.LIBCMT ref: 0091B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0091B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0091B236
_wcslen.LIBCMT ref: 0091B332

Part of subcall function 009005A7: GetStdHandle.KERNEL32(000000F6), ref: 009005C6

_wcslen.LIBCMT ref: 0091B34B
_wcslen.LIBCMT ref: 0091B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0091B3B6
GetLastError.KERNEL32(00000000), ref: 0091B407
CloseHandle.KERNEL32(?), ref: 0091B439
CloseHandle.KERNEL32(00000000), ref: 0091B44A
CloseHandle.KERNEL32(00000000), ref: 0091B45C
CloseHandle.KERNEL32(00000000), ref: 0091B46E
CloseHandle.KERNEL32(?), ref: 0091B4E3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 46a5664ee15951c122034a54ff2cb0f9881d031416f5b987a7c89b23a66714a0
Instruction ID: e1f57331e3e1e4fb281216a6fb182a54f5d0e609637066d53c2d0d97820a0b4b
Opcode Fuzzy Hash: 46a5664ee15951c122034a54ff2cb0f9881d031416f5b987a7c89b23a66714a0
Instruction Fuzzy Hash: 54F17D316082449FCB14EF28C891B6EBBE6FF85314F18895DF4959B2A2DB31DC45CB52

Function 0089D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0089D807
timeGetTime.WINMM ref: 0089DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0089DB28
TranslateMessage.USER32(?), ref: 0089DB7B
DispatchMessageW.USER32(?), ref: 0089DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0089DB9F
Sleep.KERNELBASE(0000000A), ref: 0089DBB1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 00e88acf4c843e6478cee4e2f6cab5f9b9e75c996fac96a6d0ab2809b327527b
Instruction ID: 36f033f7d097c5ddff28991221ac54b62f65b6530414f95ab7a47c321ef7f37a
Opcode Fuzzy Hash: 00e88acf4c843e6478cee4e2f6cab5f9b9e75c996fac96a6d0ab2809b327527b
Instruction Fuzzy Hash: 41420070608345DFDB28EF29C844BAABBE4FF86314F18452DE556C72A1D770E844DB86

Function 00892CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00892D07
RegisterClassExW.USER32(00000030), ref: 00892D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00892D42
InitCommonControlsEx.COMCTL32(?), ref: 00892D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00892D6F
LoadIconW.USER32(000000A9), ref: 00892D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00892D94

Strings

AutoIt v3 GUI, xrefs: 00892D23
+, xrefs: 00892CF0
0, xrefs: 00892CE9
TaskbarCreated, xrefs: 00892D37

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9d263ce87585318c35fdb3f4c4721c03d40907a3be102a645db3d041058b1559
Instruction ID: d8e75c74054c9b484bf86a0e4b0cc68cda9cbea8fb14f83711172fb8153c22c3
Opcode Fuzzy Hash: 9d263ce87585318c35fdb3f4c4721c03d40907a3be102a645db3d041058b1559
Instruction Fuzzy Hash: 5721F4B5D69318AFDB10DFA4EC49BDDBBB8FB08701F04411AF611A62A0D7B10545EF91

Function 008D065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D039A: CreateFileW.KERNELBASE(00000000,00000000,?,008D0704,?,?,00000000,?,008D0704,00000000,0000000C), ref: 008D03B7

GetLastError.KERNEL32 ref: 008D076F
__dosmaperr.LIBCMT ref: 008D0776
GetFileType.KERNELBASE(00000000), ref: 008D0782
GetLastError.KERNEL32 ref: 008D078C
__dosmaperr.LIBCMT ref: 008D0795
CloseHandle.KERNEL32(00000000), ref: 008D07B5
CloseHandle.KERNEL32(?), ref: 008D08FF
GetLastError.KERNEL32 ref: 008D0931
__dosmaperr.LIBCMT ref: 008D0938

Strings

H, xrefs: 008D08BD

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0b574bec533af784935a02d02adb354ff64fc9e2adab930d955f6cdbcf702167
Instruction ID: 119ccab581df7f2a219d5ea48e8946f6132d39bc56b26764d01f581f0549dd4d
Opcode Fuzzy Hash: 0b574bec533af784935a02d02adb354ff64fc9e2adab930d955f6cdbcf702167
Instruction Fuzzy Hash: 8AA1F332A141089FDF19AF68DC91BAE7BA0FB46324F14025EF815DF392D6719812DF92

Function 0089344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00893A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00961418,?,00892E7F,?,?,?,00000000), ref: 00893A78

Part of subcall function 00893357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00893379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0089356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008D318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008D31CE
RegCloseKey.ADVAPI32(?), ref: 008D3210
_wcslen.LIBCMT ref: 008D3277
_wcslen.LIBCMT ref: 008D3286

Strings

\Include\, xrefs: 00893527
Software\AutoIt v3\AutoIt, xrefs: 00893560
\, xrefs: 008D328C
Include, xrefs: 008D3184, 008D31C5

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3d8bae688dad5e2971dea99f1c2df22537bc748c8f7a3f0efba73933d01dc944
Instruction ID: 28b2afaf81e98b32615296baf8ab3e6081c5133bae45c7e4f4c5896b4e2a66f0
Opcode Fuzzy Hash: 3d8bae688dad5e2971dea99f1c2df22537bc748c8f7a3f0efba73933d01dc944
Instruction Fuzzy Hash: 1571C0714187019EC714EF69EC82C6BBBE8FF95B40F44092EF585C32A0EB708A48DB52

Function 00892B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00892B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00892B9D
LoadIconW.USER32(00000063), ref: 00892BB3
LoadIconW.USER32(000000A4), ref: 00892BC5
LoadIconW.USER32(000000A2), ref: 00892BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00892BEF
RegisterClassExW.USER32(?), ref: 00892C40

Part of subcall function 00892CD4: GetSysColorBrush.USER32(0000000F), ref: 00892D07
Part of subcall function 00892CD4: RegisterClassExW.USER32(00000030), ref: 00892D31
Part of subcall function 00892CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00892D42
Part of subcall function 00892CD4: InitCommonControlsEx.COMCTL32(?), ref: 00892D5F
Part of subcall function 00892CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00892D6F
Part of subcall function 00892CD4: LoadIconW.USER32(000000A9), ref: 00892D85
Part of subcall function 00892CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00892D94

Strings

AutoIt v3, xrefs: 00892C2F
0, xrefs: 00892C0F
#, xrefs: 00892C16

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: dae07537430594fac7219fbbffe6d229305b5dbb01ede552acd4727e1e41d7d9
Instruction ID: 23af842c03e8c5830eeea6cdf59829ea097ba2a58d5c38de74b6df0bf62aaab1
Opcode Fuzzy Hash: dae07537430594fac7219fbbffe6d229305b5dbb01ede552acd4727e1e41d7d9
Instruction Fuzzy Hash: 782109B4E28314ABDB109FA5EC55E9D7FB4FB48B50F48001EE501A67A0D7F14640EF90

Function 00893170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0089316A,?,?), ref: 008931D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0089316A,?,?), ref: 00893204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00893227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0089316A,?,?), ref: 00893232
CreatePopupMenu.USER32 ref: 00893246
PostQuitMessage.USER32(00000000), ref: 00893267

Strings

TaskbarCreated, xrefs: 0089322D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 85dbc354e9583e27a8944e6655cf7c1c1c7427f6ea821a9dfa50be8d90f465b3
Instruction ID: 3a6925981b7f8a7f14ad14ecfbbb06f0ac2e985d85b9d33a8cd68b61d3fd401c
Opcode Fuzzy Hash: 85dbc354e9583e27a8944e6655cf7c1c1c7427f6ea821a9dfa50be8d90f465b3
Instruction Fuzzy Hash: 1F41F731258208A7DF253BB89D0DB7D375AFB05345F0C012AF512D67B1CBA19A41A7A2

Function 00891410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00891459
CoUninitialize.COMBASE ref: 008914F8
UnregisterHotKey.USER32(?), ref: 008916DD
DestroyWindow.USER32(?), ref: 008D24B9
FreeLibrary.KERNEL32(?), ref: 008D251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008D254B

Strings

close all, xrefs: 00891454

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 65f13c58a89265808cd871903d6664f1d06e5e4de146cce47ac07ad8cfa52897
Instruction ID: 35e1daf44358ee6d9c0f71aa001b4afc0787b7cc3c33fa547ccbf9e19d044cb7
Opcode Fuzzy Hash: 65f13c58a89265808cd871903d6664f1d06e5e4de146cce47ac07ad8cfa52897
Instruction Fuzzy Hash: CED17A306052128FDF29EF58D899A28F7A4FF15710F1942AEE54AEB352CB30AC12CF51

Function 00892C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00892C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00892CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00891CAD,?), ref: 00892CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00891CAD,?), ref: 00892CCF

Strings

AutoIt v3, xrefs: 00892C89, 00892C8E, 00892C8F
edit, xrefs: 00892CAC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5d688989f4328e9c6191431fe38cd3234dda0d94da89d1664a35ca2731dd0e44
Instruction ID: 16086661ea0bb5467170e13aa6e4ded9668d2ab2685a79c4ed768fc568a9c398
Opcode Fuzzy Hash: 5d688989f4328e9c6191431fe38cd3234dda0d94da89d1664a35ca2731dd0e44
Instruction Fuzzy Hash: F2F0FEB55643907AEB711717AC08E7B3EBDD7CAF50F04005EF901A36A0C6B11851FAB1

Function 00893B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00893B0F,SwapMouseButtons,00000004,?), ref: 00893B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00893B0F,SwapMouseButtons,00000004,?), ref: 00893B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00893B0F,SwapMouseButtons,00000004,?), ref: 00893B83

Strings

Control Panel\Mouse, xrefs: 00893B3E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 74dff3abd12816532a9f2a4981b459ca14873aba5954229fb5d068bd7bef8bf4
Instruction ID: 86e8bfc48efd9721b9eaffcbc13740dbd8ea730302b4055da9ac2f5be9c5e1d4
Opcode Fuzzy Hash: 74dff3abd12816532a9f2a4981b459ca14873aba5954229fb5d068bd7bef8bf4
Instruction Fuzzy Hash: 97112AB5520208FFDF209FA5DC44EAEB7B8FF05754B144459A805D7210D2719E41A7A0

Function 00893923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008D33A2

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00893A04

Strings

Line: , xrefs: 008D33EB

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ab1c9eee82a608ff585583c52ab65e3ccefd8297a3a7ada488433ac24984fa99
Instruction ID: a3024f1789a461adda91fbd15b40ce8b9cc6e7825fb59294a48ea318d79cf24b
Opcode Fuzzy Hash: ab1c9eee82a608ff585583c52ab65e3ccefd8297a3a7ada488433ac24984fa99
Instruction Fuzzy Hash: 24319E71408304AACB25FB24DC45BEBB7E8FB45714F08452EF59AD2291EBB09A4897C3

Function 008AFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 008B0668

Part of subcall function 008B32A4: RaiseException.KERNEL32(?,?,?,008B068A,?,00961444,?,?,?,?,?,?,008B068A,00891129,00958738,00891129), ref: 008B3304

__CxxThrowException@8.LIBVCRUNTIME ref: 008B0685

Strings

Unknown exception, xrefs: 008B0692

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b2b3ffe59d74ca9cfaad2ac55003b9ec2108ebf47ce0854fa326d4f3d5704bfa
Instruction ID: 00b10530fef9474ccab8bf72a0560d0463bf983825b11f5031a3c560354be037
Opcode Fuzzy Hash: b2b3ffe59d74ca9cfaad2ac55003b9ec2108ebf47ce0854fa326d4f3d5704bfa
Instruction Fuzzy Hash: 5FF0C23490030D778F10B6A8D846CDF776CFE51354B604131B914E6AA2EF71EA29CE82

Function 008910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00891BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00891BF4
Part of subcall function 00891BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00891BFC
Part of subcall function 00891BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00891C07
Part of subcall function 00891BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00891C12
Part of subcall function 00891BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00891C1A
Part of subcall function 00891BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00891C22

Part of subcall function 00891B4A: RegisterWindowMessageW.USER32(00000004,?,008912C4), ref: 00891BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0089136A
OleInitialize.OLE32 ref: 00891388
CloseHandle.KERNEL32(00000000,00000000), ref: 008D24AB

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e4ef9a378b64ceeac4b2a8dc42e05058c207cda55dee0476c47d85ddac027789
Instruction ID: 0d620dbd461a26656187f62bdc0be0d2c1a0ff9f6a06bcc9b71b5d8dd89a5b71
Opcode Fuzzy Hash: e4ef9a378b64ceeac4b2a8dc42e05058c207cda55dee0476c47d85ddac027789
Instruction Fuzzy Hash: CD719EB89293018FCB94EF7EA945659BAE5FB8834475C812EE01BC7271EBB04441FF46

Function 008FC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00893923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00893A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008FC259
KillTimer.USER32(?,00000001,?,?), ref: 008FC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008FC270

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 6dd7f2f48ef0ec329a65627a81660d453c7b5f1ec17ab1c2e7b152e821a0a0db
Instruction ID: 21d20694b62bce18437a5170261195a419c7d0bd5718d9bee1e17d384bbe80c2
Opcode Fuzzy Hash: 6dd7f2f48ef0ec329a65627a81660d453c7b5f1ec17ab1c2e7b152e821a0a0db
Instruction Fuzzy Hash: FA31507090434CAFEB329B748955BEABBECEB06308F04049AD69AA7241C7745B85DB51

Function 008C86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008C85CC,?,00958CC8,0000000C), ref: 008C8704
GetLastError.KERNEL32(?,008C85CC,?,00958CC8,0000000C), ref: 008C870E
__dosmaperr.LIBCMT ref: 008C8739

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 35c035248079ffd473162e05b4480642cc588d6ffa3bdb1937ac82ec6d47ae49
Instruction ID: 4455a974d03749d28d6183481873a8d493c017a93db1ac32bb241528dc2e726f
Opcode Fuzzy Hash: 35c035248079ffd473162e05b4480642cc588d6ffa3bdb1937ac82ec6d47ae49
Instruction Fuzzy Hash: CE012F32645560A6D62462385C49F7F6775EB92778F35021DF814CB2D2DEB0DCC19151

Function 0089DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0089DB7B
DispatchMessageW.USER32(?), ref: 0089DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0089DB9F
Sleep.KERNELBASE(0000000A), ref: 0089DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 008E1CC9

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: f9dd338e5dc12beefce4b45ecac8ec0f5fbe02f4a2cf4a5e75eaa5410fdf064b
Instruction ID: 6fee235694796d97a6790c2d6d94b5fd0da2f401dd90345bf4cea248f06a700e
Opcode Fuzzy Hash: f9dd338e5dc12beefce4b45ecac8ec0f5fbe02f4a2cf4a5e75eaa5410fdf064b
Instruction Fuzzy Hash: 1FF05E706183809BEB30DB608C49FAA73ACFB45310F144A29E60AD30C0DB70A4899B25

Function 008A1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008A17F6

Strings

CALL, xrefs: 008A17C6

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 58dc94b57b2aa00c2b4c1857a0fc25fc935e9c42d345e543475ac9b60cc6aac8
Instruction ID: 39f7d20a374ba6fdc236f09954c1bcec1e20a563a46046332b58b72099b3c0cf
Opcode Fuzzy Hash: 58dc94b57b2aa00c2b4c1857a0fc25fc935e9c42d345e543475ac9b60cc6aac8
Instruction Fuzzy Hash: 6B228C706082419FEB14DF19C484A2ABBF1FF96354F18892DF496CB7A2D771E851CB82

Function 00892DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 008D2C8C

Part of subcall function 00893AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00893A97,?,?,00892E7F,?,?,?,00000000), ref: 00893AC2

Part of subcall function 00892DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00892DC4

Strings

X, xrefs: 008D2C5A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 0ed4b96ec2f376f98325954ae7161ed82275fbaccc16508ae0fcd50754671f65
Instruction ID: c91f5a0d5cb40f5cf315136829a709ea0c671cc117148384939478fe7b9c2347
Opcode Fuzzy Hash: 0ed4b96ec2f376f98325954ae7161ed82275fbaccc16508ae0fcd50754671f65
Instruction Fuzzy Hash: A421C371A10258AFCF01EF98C845BEE7BF8FF48315F04405AE405E7341EBB45A498BA2

Function 00893837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00893908

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 76eeb17d8f5ac7cca37728bc77b0428c05ab2cc0ee0212be830e7654709b401c
Instruction ID: 21b7b6c13e7dca0bdeaa9d30f2006a82c792022f004b200fea3035caf123ef8f
Opcode Fuzzy Hash: 76eeb17d8f5ac7cca37728bc77b0428c05ab2cc0ee0212be830e7654709b401c
Instruction Fuzzy Hash: 9831A5706083019FD720EF64D884B97BBE4FB49708F04092EF59AD7350E7B1AA44DB92

Function 008AF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008AF661

Part of subcall function 0089D730: GetInputState.USER32 ref: 0089D807

Sleep.KERNEL32(00000000), ref: 008EF2DE

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: a675b1a033f6235f664c23328275181cac2081557ea2ccda77eacdbbea1cd846
Instruction ID: 9443d75bbc372ee0309d6825cca68b0b25adca336c7c5b45d969006b2dfab4b9
Opcode Fuzzy Hash: a675b1a033f6235f664c23328275181cac2081557ea2ccda77eacdbbea1cd846
Instruction Fuzzy Hash: D7F0A071244605AFD310FFB9E549B6AB7E8FF46761F000029F959C7361DB70A800CB92

Function 00894ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00894E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00894EDD,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E9C
Part of subcall function 00894E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00894EAE
Part of subcall function 00894E90: FreeLibrary.KERNEL32(00000000,?,?,00894EDD,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894EFD

Part of subcall function 00894E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008D3CDE,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E62
Part of subcall function 00894E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00894E74
Part of subcall function 00894E59: FreeLibrary.KERNEL32(00000000,?,?,008D3CDE,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E87

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 8b69a12b74fbf73204574a310d78d0e6325e19c693a9ea0a1735fd059f9da5e9
Instruction ID: e6d1266c9f54773a2ef5d36a5a908c7b38ecdc95044cdbf7dc929844049cdcbc
Opcode Fuzzy Hash: 8b69a12b74fbf73204574a310d78d0e6325e19c693a9ea0a1735fd059f9da5e9
Instruction Fuzzy Hash: 5F11E332610206AACF24BF68DC02FAD77A5FF40754F14842EF542E62D1EE709A069752

Function 008C8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 008C8440

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a9b92e1c562d6b3542e86ac429d90e992d1faa678ce17fd50cc4528eba1f4b00
Instruction ID: a5083a7febc39ae3059187483c17c341bf574336568f2d1a24e197245a54617f
Opcode Fuzzy Hash: a9b92e1c562d6b3542e86ac429d90e992d1faa678ce17fd50cc4528eba1f4b00
Instruction Fuzzy Hash: 1911067590410AEFCB09DF58E941E9A7BF9FF48314F154069F808EB312DA31DA118BA5

Function 008C5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008C4C7D: RtlAllocateHeap.NTDLL(00000008,00891129,00000000,?,008C2E29,00000001,00000364,?,?,?,008BF2DE,008C3863,00961444,?,008AFDF5,?), ref: 008C4CBE

_free.LIBCMT ref: 008C506C

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 800f1f7c456e79f56497951ae311af87e7a36e2de5bd512f15f5061af29902c0
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 3A012672204B046BE721CE699881F5AFBF8FB89370F25051DE584C32C0EA30E845C6B4

Function 008BE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 236fea34805a80266800176e8e5155fe3b2efefbbcda6b351d84c8fb41a8b388
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: BFF06D32511A14AED6312A6D9C05FDA27A8FF62335F100619F925D23D2DA74E805C6A6

Function 008C4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00891129,00000000,?,008C2E29,00000001,00000364,?,?,?,008BF2DE,008C3863,00961444,?,008AFDF5,?), ref: 008C4CBE

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25384aaacff44599c3c2433ed6397a438204bdd454abe9cf8238d0f3b3d78cc1
Instruction ID: f36917f3ed5f5642b8eae424ddf131f7450b4de76af5236e8e680b7d08e47aff
Opcode Fuzzy Hash: 25384aaacff44599c3c2433ed6397a438204bdd454abe9cf8238d0f3b3d78cc1
Instruction Fuzzy Hash: E9F0243160622467DB201F269C16F9A37A8FF403B0B046119FC05E62A1CAB0D84042E0

Function 008C3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6,?,00891129), ref: 008C3852

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e15aabee7f0bb796454bc579a3ce4538746a1ccb5e24f49a774eee475aa23e54
Instruction ID: 592a268a774d07c1c6a910e22b1cf780f33aa0ee79b99d2f2defffefe2a13e65
Opcode Fuzzy Hash: e15aabee7f0bb796454bc579a3ce4538746a1ccb5e24f49a774eee475aa23e54
Instruction Fuzzy Hash: FEE0E53110822457E6312A6A9C02FDA3778FB427B0F058038BC15D2692CB70DE0385E1

Function 00894F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894F6D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 39bb8375506e9b740dfd34883b87de1cf7188290e5e5cbcc4081d5cd7fa63afc
Instruction ID: 7542eecfd74a6ae9487c1846a06ffbf89a5899d8ff3738e22445fde5df442b6e
Opcode Fuzzy Hash: 39bb8375506e9b740dfd34883b87de1cf7188290e5e5cbcc4081d5cd7fa63afc
Instruction Fuzzy Hash: 4FF015B1109752CFDB34AF64D494C66BBE4FF143293289A6EE1EAC2621CB319845DB10

Function 00922A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00922A66

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 5d794e7c05b90300d0257439a579b175334b0082031c73221653184d262b88b7
Instruction ID: aa5fa0a211dea0612f0ae67b717935d25007c3c7b3e8d5ecd2d40c1b5f06e6b2
Opcode Fuzzy Hash: 5d794e7c05b90300d0257439a579b175334b0082031c73221653184d262b88b7
Instruction Fuzzy Hash: 16E0DF3235422ABAC710EB30EC809FE734CEB543907100536AC16C2590DB34998182A0

Function 008930F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0089314E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: aeb6b2a8347423c4c856e98b3b5d9350afb559f579edec67031cf192d6714624
Instruction ID: b2ae2000cba55576ddd15721df82509998a945e6a00fab1e727aa7277b30d08f
Opcode Fuzzy Hash: aeb6b2a8347423c4c856e98b3b5d9350afb559f579edec67031cf192d6714624
Instruction Fuzzy Hash: A7F0A7709183049FEB52AB24DC45BDA7BFCB701708F0400E9E149D6391D7B05788DF81

Function 00892DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00892DC4

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 9e9a83864cb6431eb5bb39d28425194e25c5b646d4edc222299dca02119108fd
Instruction ID: 22dae07b4a1793604007a3ca8e436f36228cf0272beddce6e0b419be6a5024a0
Opcode Fuzzy Hash: 9e9a83864cb6431eb5bb39d28425194e25c5b646d4edc222299dca02119108fd
Instruction Fuzzy Hash: F4E0CD726041245BCB20A39CDC05FDA77DDEFC8790F040171FD09D7248ED60ED848551

Function 00892B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00893837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00893908

Part of subcall function 0089D730: GetInputState.USER32 ref: 0089D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00892B6B

Part of subcall function 008930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0089314E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 6f06e02803a0524bb4e4f2f6ff81353edeca4508b7005711d0a38faf5629ddfa
Instruction ID: b98a53f69119ddb04c254cc7230c53cc1c5707674e02e5c28968940bd2ead9e8
Opcode Fuzzy Hash: 6f06e02803a0524bb4e4f2f6ff81353edeca4508b7005711d0a38faf5629ddfa
Instruction Fuzzy Hash: CEE0862130434416CE18BB7D985257DA799FBD5351F4C153EF146D3172DE6445454253

Function 008D039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,008D0704,?,?,00000000,?,008D0704,00000000,0000000C), ref: 008D03B7

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f6fb27f156d3203d4ebc8efb55de492b22e4c2461b81ff4d83132a1aecf4fe96
Instruction ID: fa79bcd366218414ed4a0a73c82ecf08c83433f5f4f99570275048d5f769fec2
Opcode Fuzzy Hash: f6fb27f156d3203d4ebc8efb55de492b22e4c2461b81ff4d83132a1aecf4fe96
Instruction Fuzzy Hash: F8D06C3205410DBBDF129F84DD06EDA3BAAFB48714F014000BE1856021C732E832AB90

Function 00891CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00891CBC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: f29f214c0c3596f4df1ae9b8f0e0985eed36f7c5530a3a0ddc0d4fa557bf138b
Instruction ID: 92963e06b4f375e39d97179305db82b64f417297f3a27d8cbc09edb8539fa819
Opcode Fuzzy Hash: f29f214c0c3596f4df1ae9b8f0e0985eed36f7c5530a3a0ddc0d4fa557bf138b
Instruction Fuzzy Hash: 0CC092362AC304AFF3248B80BC4AF147764A758B00F088005F60AA96E3C3E26820FA90

Non-executed Functions

Function 00929576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0092961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0092965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0092969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009296C9
SendMessageW.USER32 ref: 009296F2
GetKeyState.USER32(00000011), ref: 0092978B
GetKeyState.USER32(00000009), ref: 00929798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009297AE
GetKeyState.USER32(00000010), ref: 009297B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009297E9
SendMessageW.USER32 ref: 00929810
SendMessageW.USER32(?,00001030,?,00927E95), ref: 00929918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0092992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00929941
SetCapture.USER32(?), ref: 0092994A
ClientToScreen.USER32(?,?), ref: 009299AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009299BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009299D6
ReleaseCapture.USER32 ref: 009299E1
GetCursorPos.USER32(?), ref: 00929A19
ScreenToClient.USER32(?,?), ref: 00929A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00929A80
SendMessageW.USER32 ref: 00929AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00929AEB
SendMessageW.USER32 ref: 00929B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00929B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00929B4A
GetCursorPos.USER32(?), ref: 00929B68
ScreenToClient.USER32(?,?), ref: 00929B75
GetParent.USER32(?), ref: 00929B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00929BFA
SendMessageW.USER32 ref: 00929C2B
ClientToScreen.USER32(?,?), ref: 00929C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00929CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00929CDE
SendMessageW.USER32 ref: 00929D01
ClientToScreen.USER32(?,?), ref: 00929D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00929D82

Part of subcall function 008A9944: GetWindowLongW.USER32(?,000000EB), ref: 008A9952

GetWindowLongW.USER32(?,000000F0), ref: 00929E05

Strings

@GUI_DRAGID, xrefs: 0092997D
F, xrefs: 00929D07

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 433778318564e539dd0b2b913c6c8d4395f7a85240f76fc14a06d5c860623896
Instruction ID: 4813a71111500988038904f46280012160892ce3022712ce4ccc4c092347e004
Opcode Fuzzy Hash: 433778318564e539dd0b2b913c6c8d4395f7a85240f76fc14a06d5c860623896
Instruction Fuzzy Hash: E242DD70208211AFDB24CF28EC44EAABBE9FF49314F140A1DF699872A4D731E851DF52

Function 00924873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009248F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00924908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00924927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0092494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0092495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0092497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009249AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009249D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00924A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00924A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00924A7E
IsMenu.USER32(?), ref: 00924A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00924AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00924B20
GetWindowLongW.USER32(?,000000F0), ref: 00924B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00924BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00924C82
wsprintfW.USER32 ref: 00924CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00924CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00924CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00924D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00924D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00924D5A

Strings

%d/%02d/%02d, xrefs: 00924CA8

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: c4eb03c48f0de81fcfd0e3c2b53c62a4eb4b410e638302e685e9f6a9cd0a4064
Instruction ID: 00e3a2984b55572b9fe2dc53d9598838d605c742406f20c8362de4444b75b01f
Opcode Fuzzy Hash: c4eb03c48f0de81fcfd0e3c2b53c62a4eb4b410e638302e685e9f6a9cd0a4064
Instruction Fuzzy Hash: 9212F171600225ABEB248F28EC49FAE7BF8FF85710F104529F516EB2E5DB789941CB50

Function 008AF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 008AF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008EF474
IsIconic.USER32(00000000), ref: 008EF47D
ShowWindow.USER32(00000000,00000009), ref: 008EF48A
SetForegroundWindow.USER32(00000000), ref: 008EF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008EF4AA
GetCurrentThreadId.KERNEL32 ref: 008EF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008EF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 008EF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 008EF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 008EF4DE
SetForegroundWindow.USER32(00000000), ref: 008EF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 008EF4F6
keybd_event.USER32(00000012,00000000), ref: 008EF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 008EF50B
keybd_event.USER32(00000012,00000000), ref: 008EF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 008EF519
keybd_event.USER32(00000012,00000000), ref: 008EF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 008EF528
keybd_event.USER32(00000012,00000000), ref: 008EF52D
SetForegroundWindow.USER32(00000000), ref: 008EF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 008EF557

Strings

Shell_TrayWnd, xrefs: 008EF46F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 939ede3ac10b7bf312df9464f4d0b76f07cc67f2253a0124c9b089faefe00293
Instruction ID: 0d55460cdbaedcab1cb441cb2fbc0c6ad2cb1090a77230e2aa4850ff5a608461
Opcode Fuzzy Hash: 939ede3ac10b7bf312df9464f4d0b76f07cc67f2253a0124c9b089faefe00293
Instruction Fuzzy Hash: D53130B1A54218BAEB316BB65C4AFBF7E6CFB45B50F100065FA01E61D1C6B19901BBA0

Function 008F1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008F170D
Part of subcall function 008F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008F173A
Part of subcall function 008F16C3: GetLastError.KERNEL32 ref: 008F174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 008F1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008F12A8
CloseHandle.KERNEL32(?), ref: 008F12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008F12D1
GetProcessWindowStation.USER32 ref: 008F12EA
SetProcessWindowStation.USER32(00000000), ref: 008F12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008F1310

Part of subcall function 008F10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008F11FC), ref: 008F10D4
Part of subcall function 008F10BF: CloseHandle.KERNEL32(?,?,008F11FC), ref: 008F10E9

Strings

, xrefs: 008F125A
winsta0, xrefs: 008F12CC
default, xrefs: 008F130B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: f74626ad2174aa3e9ec504bf99b478174263ee3d0e192ace3fc1a1c4028ddbfb
Instruction ID: a6ae81dcb3d6b9ae1f8e9f51531b02ecb589c112b293cdad1d7f72fd99b0343c
Opcode Fuzzy Hash: f74626ad2174aa3e9ec504bf99b478174263ee3d0e192ace3fc1a1c4028ddbfb
Instruction Fuzzy Hash: 608188B1900209EBDF249FA8CC89BFE7BBAFF44704F144129FA11E62A1D7308955DB65

Function 008F0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008F1114
Part of subcall function 008F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1120
Part of subcall function 008F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F112F
Part of subcall function 008F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1136
Part of subcall function 008F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008F0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008F0C00
GetLengthSid.ADVAPI32(?), ref: 008F0C17
GetAce.ADVAPI32(?,00000000,?), ref: 008F0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008F0C6D
GetLengthSid.ADVAPI32(?), ref: 008F0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008F0C8C
HeapAlloc.KERNEL32(00000000), ref: 008F0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008F0CB4
CopySid.ADVAPI32(00000000), ref: 008F0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008F0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008F0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008F0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0D45
HeapFree.KERNEL32(00000000), ref: 008F0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0D55
HeapFree.KERNEL32(00000000), ref: 008F0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0D65
HeapFree.KERNEL32(00000000), ref: 008F0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 008F0D78
HeapFree.KERNEL32(00000000), ref: 008F0D7F

Part of subcall function 008F1193: GetProcessHeap.KERNEL32(00000008,008F0BB1,?,00000000,?,008F0BB1,?), ref: 008F11A1
Part of subcall function 008F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008F0BB1,?), ref: 008F11A8
Part of subcall function 008F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008F0BB1,?), ref: 008F11B7

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3273f70116be7978fe8e1d29911112cc4e5e17182c002ec48db7ae0513357611
Instruction ID: 8ead7a390e6ac9483ddd1f21660ab863d80b75e5e3f9e38af61572c3d40a6a70
Opcode Fuzzy Hash: 3273f70116be7978fe8e1d29911112cc4e5e17182c002ec48db7ae0513357611
Instruction Fuzzy Hash: 52714BB190420EAFDF209FA4DC45BBEBBB9FF04300F144615EA14E6192D775A906DFA0

Function 0090EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0092CC08), ref: 0090EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0090EB37
GetClipboardData.USER32(0000000D), ref: 0090EB43
CloseClipboard.USER32 ref: 0090EB4F
GlobalLock.KERNEL32(00000000), ref: 0090EB87
CloseClipboard.USER32 ref: 0090EB91
GlobalUnlock.KERNEL32(00000000), ref: 0090EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0090EBC9
GetClipboardData.USER32(00000001), ref: 0090EBD1
GlobalLock.KERNEL32(00000000), ref: 0090EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0090EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0090EC38
GetClipboardData.USER32(0000000F), ref: 0090EC44
GlobalLock.KERNEL32(00000000), ref: 0090EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0090EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0090EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0090ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0090ECF3
CountClipboardFormats.USER32 ref: 0090ED14
CloseClipboard.USER32 ref: 0090ED59

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9048e19f288e93fbede0535f15b1d7e222f90ee9707be114ed568965599dc440
Instruction ID: 06468242b05d62336b0aa1172c376154ce933b29569b021ea41e497768a597d3
Opcode Fuzzy Hash: 9048e19f288e93fbede0535f15b1d7e222f90ee9707be114ed568965599dc440
Instruction Fuzzy Hash: 4861AE752082029FD710EF28D895F2A77A8FF84704F18491DF496D72E1DB31E946DBA2

Function 0090698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009069BE
FindClose.KERNEL32(00000000), ref: 00906A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00906A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00906A75

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00906AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00906ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00906B32
%4d%02d%02d%02d%02d%02d, xrefs: 00906B6A
%02d, xrefs: 00906C00, 00906C0A, 00906C5A, 00906CAA, 00906CFA, 00906D4A
%4d, xrefs: 00906BB1
%03d, xrefs: 00906DA2

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f68005460cc8593ca36fa0ff27de0bbd726fc8dd93c986ee4c54b0cbaab05c78
Instruction ID: 2783f8369899f9ff4257ff579e11e2332935a968bf793d62b2a3b93f0dd45f70
Opcode Fuzzy Hash: f68005460cc8593ca36fa0ff27de0bbd726fc8dd93c986ee4c54b0cbaab05c78
Instruction Fuzzy Hash: 3BD13DB2508300AEC714EBA8C881EABB7ECFF98704F44491DF595D6191EB74DA44CB63

Function 00909642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00909663
GetFileAttributesW.KERNEL32(?), ref: 009096A1
SetFileAttributesW.KERNEL32(?,?), ref: 009096BB
FindNextFileW.KERNEL32(00000000,?), ref: 009096D3
FindClose.KERNEL32(00000000), ref: 009096DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009096FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0090974A
SetCurrentDirectoryW.KERNEL32(00956B7C), ref: 00909768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00909772
FindClose.KERNEL32(00000000), ref: 0090977F
FindClose.KERNEL32(00000000), ref: 0090978F

Strings

*.*, xrefs: 009096F5

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2edc2916c54b7509977beb095adc86823311e9667b36fb9e1a85f310be22fdd2
Instruction ID: d800dfdb194ec595b4273aec75985798057a7268eac5e734f9a91fcad8cf6507
Opcode Fuzzy Hash: 2edc2916c54b7509977beb095adc86823311e9667b36fb9e1a85f310be22fdd2
Instruction Fuzzy Hash: F1310272545219AECF20EFB4EC09ADE77ACAF49321F104155F814E31E1DB31DE458B50

Function 0090979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009097BE
FindNextFileW.KERNEL32(00000000,?), ref: 00909819
FindClose.KERNEL32(00000000), ref: 00909824
FindFirstFileW.KERNEL32(*.*,?), ref: 00909840
SetCurrentDirectoryW.KERNEL32(?), ref: 00909890
SetCurrentDirectoryW.KERNEL32(00956B7C), ref: 009098AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009098B8
FindClose.KERNEL32(00000000), ref: 009098C5
FindClose.KERNEL32(00000000), ref: 009098D5

Part of subcall function 008FDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008FDB00

Strings

*.*, xrefs: 0090983B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 37877ce5bf4c25a522678b5bff5c284880b860615f8654589812e0508696652d
Instruction ID: 694e555a289080af42f0f75ce0f9eae0a45f05e4d7056f327ab9fca92be8527d
Opcode Fuzzy Hash: 37877ce5bf4c25a522678b5bff5c284880b860615f8654589812e0508696652d
Instruction Fuzzy Hash: C931E3725456196EDB20EFB4EC48ADE37ACEF46324F108555ED10E32E1DB30D9458B60

Function 0091BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0091C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0091B6AE,?,?), ref: 0091C9B5
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091C9F1
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA68
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0091BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0091BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0091BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0091C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0091C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0091C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0091C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0091C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0091C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0091C382
RegCloseKey.ADVAPI32(00000000), ref: 0091C38F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 2e2015871a19c6f5acd52a4143041a88982d60c1a80cec0d8107af1914ea562d
Instruction ID: cea561848e50c5a9d3ab647140651f3717ecfc39acde30aeb516a1bc0b83d90b
Opcode Fuzzy Hash: 2e2015871a19c6f5acd52a4143041a88982d60c1a80cec0d8107af1914ea562d
Instruction Fuzzy Hash: B6025FB1604204AFDB14DF28C895E6ABBE5FF49304F18849DF45ADB2A2D731EC46CB52

Function 00908195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00908257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00908267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00908273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00908310
SetCurrentDirectoryW.KERNEL32(?), ref: 00908324
SetCurrentDirectoryW.KERNEL32(?), ref: 00908356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0090838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00908395

Strings

*.*, xrefs: 0090839B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: bc6b4f4bd3af58b7ea244a4917b571c72db00fda5b2227851e796425755a58be
Instruction ID: 1e214574887cd71730b12df77809c153f53b7a27b8056a6057b8c48a23559cbf
Opcode Fuzzy Hash: bc6b4f4bd3af58b7ea244a4917b571c72db00fda5b2227851e796425755a58be
Instruction Fuzzy Hash: ED614AB26087059FCB10EF68D8409AFB3E8FF89314F044929F999D7251EB35E945CB92

Function 008FD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00893AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00893A97,?,?,00892E7F,?,?,?,00000000), ref: 00893AC2

Part of subcall function 008FE199: GetFileAttributesW.KERNEL32(?,008FCF95), ref: 008FE19A

FindFirstFileW.KERNEL32(?,?), ref: 008FD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008FD1DD
MoveFileW.KERNEL32(?,?), ref: 008FD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 008FD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 008FD237

Part of subcall function 008FD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,008FD21C,?,?), ref: 008FD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 008FD253
FindClose.KERNEL32(00000000), ref: 008FD264

Strings

\*.*, xrefs: 008FD0CD, 008FD0D6, 008FD0EB

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: cc266ce45e32795b74c46572081266bed63b283d3acf38afe75e7e752ed8618f
Instruction ID: a8feb917be64c69676694ace2046f49cb61d543fc505f8fc6f0e81d8c613e4cf
Opcode Fuzzy Hash: cc266ce45e32795b74c46572081266bed63b283d3acf38afe75e7e752ed8618f
Instruction Fuzzy Hash: 45615B3180520D9ACF15EBA8C9929FDB7B6FF15300F244169E611B7191EB30AF09DBA2

Function 0090ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0090ED91
EmptyClipboard.USER32 ref: 0090ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0090EDAC
CloseClipboard.USER32 ref: 0090EEA3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c7f370511ca35619562d8186c829ab20022e9c5b620b53a21289ff0ec192a333
Instruction ID: b147001cbcaba10bdcde89d8cff23e3297f0c30a0bbd9714f7b2f97fad4e74d2
Opcode Fuzzy Hash: c7f370511ca35619562d8186c829ab20022e9c5b620b53a21289ff0ec192a333
Instruction Fuzzy Hash: 8D419D75208611AFD720DF15E888F19BBE5FF44318F18C499E41A8B6A2C775EC42CB90

Function 008FE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008F170D
Part of subcall function 008F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008F173A
Part of subcall function 008F16C3: GetLastError.KERNEL32 ref: 008F174A

ExitWindowsEx.USER32(?,00000000), ref: 008FE932

Strings

, xrefs: 008FE95C
SeShutdownPrivilege, xrefs: 008FE902
, xrefs: 008FE920
@, xrefs: 008FE925

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 1416761e4ed485ebc92b4cf1da17e9a01d69d29e12ed4c3c102160d7a3e84e75
Instruction ID: ab336dfda560312aebb030cc8e95c9bb84bd2c0edf407dc63b68b8cdaac4a783
Opcode Fuzzy Hash: 1416761e4ed485ebc92b4cf1da17e9a01d69d29e12ed4c3c102160d7a3e84e75
Instruction Fuzzy Hash: 5901267272021CABEB246BB89C8AFBF769CFB14745F140521FE02E21E1E9E05C4092F0

Function 00911204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00911276
WSAGetLastError.WSOCK32 ref: 00911283
bind.WSOCK32(00000000,?,00000010), ref: 009112BA
WSAGetLastError.WSOCK32 ref: 009112C5
closesocket.WSOCK32(00000000), ref: 009112F4
listen.WSOCK32(00000000,00000005), ref: 00911303
WSAGetLastError.WSOCK32 ref: 0091130D
closesocket.WSOCK32(00000000), ref: 0091133C

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 5526a853660c60f779a0cd1b06fe1e6799113a23503940eedf3bbc18cd82afbd
Instruction ID: 1ca1a20a0a8f40f7aad1cd102dba08ff8e064d29319ec89850b4d5fab313381b
Opcode Fuzzy Hash: 5526a853660c60f779a0cd1b06fe1e6799113a23503940eedf3bbc18cd82afbd
Instruction Fuzzy Hash: FF41A071600144AFD720DF28C488B69BBE5BF46318F188488E9668F296C771ECC2CBE1

Function 008CB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008CB9D4
_free.LIBCMT ref: 008CB9F8
_free.LIBCMT ref: 008CBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00933700), ref: 008CBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0096121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008CBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00961270,000000FF,?,0000003F,00000000,?), ref: 008CBC36
_free.LIBCMT ref: 008CBD4B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: c818d0e14a3b365848978bb1bdaca10b4ff346b7eb6187043a8da6d5445da13d
Instruction ID: 1a3b8c324f589b32906d69aca8e12af8548409279600faaf13ac5564a7d450ba
Opcode Fuzzy Hash: c818d0e14a3b365848978bb1bdaca10b4ff346b7eb6187043a8da6d5445da13d
Instruction Fuzzy Hash: 28C11671904A58AFCB249F789C52FAA7BB8FF41360F1841AEE491D7291EB30CE41DB51

Function 008FD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00893AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00893A97,?,?,00892E7F,?,?,?,00000000), ref: 00893AC2

Part of subcall function 008FE199: GetFileAttributesW.KERNEL32(?,008FCF95), ref: 008FE19A

FindFirstFileW.KERNEL32(?,?), ref: 008FD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 008FD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 008FD481
FindClose.KERNEL32(00000000), ref: 008FD498
FindClose.KERNEL32(00000000), ref: 008FD4A1

Strings

\*.*, xrefs: 008FD3F2

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 9a1e23ba25e6635c9c89efb038ae711dfe98280e0a3e9e41ffd0f011c96f158d
Instruction ID: ff9cb0bf80bb69b22723e37cd65236eb6346b8c90431ea6ef479844afd733f39
Opcode Fuzzy Hash: 9a1e23ba25e6635c9c89efb038ae711dfe98280e0a3e9e41ffd0f011c96f158d
Instruction Fuzzy Hash: 8B316D710183459BC714FF68D8918BFB7A8FEA1304F484A2DF5E5D3191EB20EA0997A7

Function 008CE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008CE645

Strings

1#QNAN, xrefs: 008CF84B
1#INF, xrefs: 008CF852
1#SNAN, xrefs: 008CF844
1#IND, xrefs: 008CF83D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: cc197b249716cc5abe6e400222a34c5d60ff381dbac5a0950f7ce0859bb182a3
Instruction ID: f0c6d1d3a11715df4b10b0643bc3036199989e2c1f0edbfebfc07b024652ad44
Opcode Fuzzy Hash: cc197b249716cc5abe6e400222a34c5d60ff381dbac5a0950f7ce0859bb182a3
Instruction Fuzzy Hash: F2C21971E086288FDB25CE289D40BEAB7B6FB48315F1541EED54DE7241E774AE818F40

Function 0090648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009064DC
CoInitialize.OLE32(00000000), ref: 00906639
CoCreateInstance.OLE32(0092FCF8,00000000,00000001,0092FB68,?), ref: 00906650
CoUninitialize.OLE32 ref: 009068D4

Strings

.lnk, xrefs: 009064BA, 00906524, 009065E0

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 6f9e8ffe15e75f563a0830082a6ee27d33da403c548dc0e6d6252dad2742ac12
Instruction ID: 28791d021bef899f73c4e7fc557aa62baa9867efa2b81dee04b9cf514bd16428
Opcode Fuzzy Hash: 6f9e8ffe15e75f563a0830082a6ee27d33da403c548dc0e6d6252dad2742ac12
Instruction Fuzzy Hash: EED13971508201AFC714EF28C881D6BB7E9FF94704F44496DF595CB291EB71E909CB92

Function 009122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009122E8

Part of subcall function 0090E4EC: GetWindowRect.USER32(?,?), ref: 0090E504

GetDesktopWindow.USER32 ref: 00912312
GetWindowRect.USER32(00000000), ref: 00912319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00912355
GetCursorPos.USER32(?), ref: 00912381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009123DF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 74574ddbeff6d6bdbf6cf66ca01a06cf764c928cbfcc50f1b111749290f95d92
Instruction ID: 854b4648990de76f77df961e277c3f390c31b18d6a49f885a3097731aa95e7a9
Opcode Fuzzy Hash: 74574ddbeff6d6bdbf6cf66ca01a06cf764c928cbfcc50f1b111749290f95d92
Instruction Fuzzy Hash: 0231D072608319AFC720EF14C849F9BBBA9FF84710F000919F995D7191DB34EA5ACB92

Function 00909B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00909B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00909C8B

Part of subcall function 00903874: GetInputState.USER32 ref: 009038CB
Part of subcall function 00903874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00903966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00909BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00909C75

Strings

*.*, xrefs: 00909B5D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 0ec7b3a038fe2f1921fa9837fe4047f69c12eb082cd1d3326f55d9a113e4115f
Instruction ID: 916f5d5ec7c1320197047e399e0889a4fca7ff2a5565f83b6c9e82477bcf2f80
Opcode Fuzzy Hash: 0ec7b3a038fe2f1921fa9837fe4047f69c12eb082cd1d3326f55d9a113e4115f
Instruction Fuzzy Hash: 2D418071D4421A9FDF14EF68C845AEE7BB8FF15310F244056E849A22D2EB309E44CF61

Function 008A997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 008A9A4E
GetSysColor.USER32(0000000F), ref: 008A9B23
SetBkColor.GDI32(?,00000000), ref: 008A9B36

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: ee6ad27072890388365bd0ccef7cbc6b0cd02bf6f5f4de3406cfe051af14391e
Instruction ID: 41fc4b36d2ef27e434c40ade22378a3229da0678295fbeb6d0d1ea74c45b1ef2
Opcode Fuzzy Hash: ee6ad27072890388365bd0ccef7cbc6b0cd02bf6f5f4de3406cfe051af14391e
Instruction Fuzzy Hash: 95A1297011C4A8BEF728AA3D9C49F7B3A9DFB83358F15410AF582C6DD5CA25AD01D272

Function 00911806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0091304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0091307A
Part of subcall function 0091304E: _wcslen.LIBCMT ref: 0091309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0091185D
WSAGetLastError.WSOCK32 ref: 00911884
bind.WSOCK32(00000000,?,00000010), ref: 009118DB
WSAGetLastError.WSOCK32 ref: 009118E6
closesocket.WSOCK32(00000000), ref: 00911915

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 10023fd1dd051b11c6ea957fcddb6b1135b0e9d34f986ec5e7d4163450e3e799
Instruction ID: 9bf350b59bb7a965c4ba897ee1fe0e62dad903fcb7a78eed6575f12f1ac95c2e
Opcode Fuzzy Hash: 10023fd1dd051b11c6ea957fcddb6b1135b0e9d34f986ec5e7d4163450e3e799
Instruction Fuzzy Hash: 5551C771B002106FEB10AF28D886F6A77E5EB45718F08C498F9159F3D3D771AD418B92

Function 00921C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00921CC0
IsWindowEnabled.USER32 ref: 00921CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00921CDB
IsIconic.USER32 ref: 00921CE9
IsZoomed.USER32 ref: 00921CF7

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 1d9466be4f216c95e63c074e98c4bda99d73ec6fe28204542bc267efc30cc541
Instruction ID: a3f4a3f359556b0c0b332016e5733b216b246d195e7003680b06eb978298842a
Opcode Fuzzy Hash: 1d9466be4f216c95e63c074e98c4bda99d73ec6fe28204542bc267efc30cc541
Instruction Fuzzy Hash: 9D21E5357442219FD720DF1AE844B2A7BE9FFA5314F198068E88ACB355CB71EC42CB90

Function 00898060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008983E8
VUUU, xrefs: 008983FA
VUUU, xrefs: 0089843C
ERCP, xrefs: 0089813C
VUUU, xrefs: 008D5DF0

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ac8de6d5751c08d174887cfb27fcb19f4f3a1e8524b9075baa1eef93836b61d9
Instruction ID: e56f3e64c12c241e5aec752adfe5da48f59f75d29f6f045026d2822a6b346256
Opcode Fuzzy Hash: ac8de6d5751c08d174887cfb27fcb19f4f3a1e8524b9075baa1eef93836b61d9
Instruction Fuzzy Hash: 02A26D71A0061ECBDF24DF58C8407AEB7B1FB55314F2882AAE815EB385EB309D91CB50

Function 008FAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 008FAAAC
SetKeyboardState.USER32(00000080), ref: 008FAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 008FAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 008FAB88

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b2bced905e3c03ed5d45978b31f0ede3f0d71d43f90768e8e4142f957c7164ff
Instruction ID: 76b3e9e8d2c6ca87b403c5bb73ecb3b10c12d0f07d7802bef059be9f3049476f
Opcode Fuzzy Hash: b2bced905e3c03ed5d45978b31f0ede3f0d71d43f90768e8e4142f957c7164ff
Instruction Fuzzy Hash: 2831E7B0A4025CAEFB398A78CC05BFA7BA6FB44330F14421AF689D61D1D3758985D762

Function 0090CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0090CE89
GetLastError.KERNEL32(?,00000000), ref: 0090CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0090CEFE

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 97bc2759aa5709e000377189aed3d08520e9ebc063e68b3aa48d3426a34c2e06
Instruction ID: b3fd1c177c8d532abfc33faac7b423935fc1a0400ab58c61b51b3e986c4884af
Opcode Fuzzy Hash: 97bc2759aa5709e000377189aed3d08520e9ebc063e68b3aa48d3426a34c2e06
Instruction Fuzzy Hash: CB21ACB1504705EFDB30DF65C988BAA77FCEB40314F204A2AE646D2191E774EE059B50

Function 008F8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008F82AA

Strings

(, xrefs: 008F82F0
|, xrefs: 008F82DA

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: bbaab64f140da529325f0a939c946b25ec4d36aefed733418d6719791fcbd0ca
Instruction ID: 76209af99be81a668ecae30474fdd241f644ad2611ad0dc1ca76ca4521435a68
Opcode Fuzzy Hash: bbaab64f140da529325f0a939c946b25ec4d36aefed733418d6719791fcbd0ca
Instruction Fuzzy Hash: 4C323475A00609DFCB28CF69C481A6AB7F0FF48710B15C56EE59ADB7A1EB70E941CB40

Function 00905C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00905CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00905D17
FindClose.KERNEL32(?), ref: 00905D5F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: cfa3a9391112a96d6acad4ceae0a52a3785cd7d45ffa8c8bde34571c63681bde
Instruction ID: 1479ac108f8c8875b4f480c026f6e20c76cf6c1265ad7dda81c20865495b146b
Opcode Fuzzy Hash: cfa3a9391112a96d6acad4ceae0a52a3785cd7d45ffa8c8bde34571c63681bde
Instruction Fuzzy Hash: D851A975604A019FC714DF28C494A9AB7E8FF49324F15855EE99A8B3A2DB30EC04CF92

Function 008C2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 008C271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008C2724
UnhandledExceptionFilter.KERNEL32(?), ref: 008C2731

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f3487d190cbc610263ac26c2926497b9a7a1466595d003cdcb490fb55022c06b
Instruction ID: 1675e68a701c7d149c5277739cfc8331eae9655b8a349951dec38264b62a30f4
Opcode Fuzzy Hash: f3487d190cbc610263ac26c2926497b9a7a1466595d003cdcb490fb55022c06b
Instruction Fuzzy Hash: 7431B4749112289BCB21DF68DC89BDDB7B8FF08310F5045EAE41CA62A1E7709F818F45

Function 009051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009051DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00905238
SetErrorMode.KERNEL32(00000000), ref: 009052A1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6ce0b544a80e6a3ffee9664007565e635f4955da63bee5e51165d70d4ce40fc3
Instruction ID: 89dfe726027e23c06e5327339022cfe22d66a8dde723fd01d2aa485c6309f36c
Opcode Fuzzy Hash: 6ce0b544a80e6a3ffee9664007565e635f4955da63bee5e51165d70d4ce40fc3
Instruction Fuzzy Hash: A2318075A14508DFDB00EF58D885EAEBBF4FF08314F098099E805AB3A2DB31E856CB51

Function 008F16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008B0668
Part of subcall function 008AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008B0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008F170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008F173A
GetLastError.KERNEL32 ref: 008F174A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: edc033eb9602e0dcd02e01c815c1c9de6c16fd698621418d22e1aec67bd06069
Instruction ID: d71f60720a9ab339e58b561f6bc8ab63211ad60fd1450f340e2bd35bdd9949fc
Opcode Fuzzy Hash: edc033eb9602e0dcd02e01c815c1c9de6c16fd698621418d22e1aec67bd06069
Instruction Fuzzy Hash: F411C4B1414308EFEB18AF64DC86D6AB7F9FB04714B20852EE15693641EB70BC418A60

Function 008FD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008FD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 008FD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008FD650

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: e301ee7c83d3f297a770936307b68494068e2a4cb1ed08c19edd12d12bef6d34
Instruction ID: 97c19234fe43bcde5784928d021275aa4d716f946ce80141077c5fd7dd849c52
Opcode Fuzzy Hash: e301ee7c83d3f297a770936307b68494068e2a4cb1ed08c19edd12d12bef6d34
Instruction Fuzzy Hash: E4117CB1E05228BBDB208FA4DC45FAFBBBCEB45B60F108111FA04E7290D6704A058BA1

Function 008F1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008F168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008F16A1
FreeSid.ADVAPI32(?), ref: 008F16B1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8cb9250641d88e04c9549a7c4ee27f3c9deb9429e16c69c0833af973691f1b9d
Instruction ID: 8dd8887079d6bda6c4ee8a29279b691c5b56d16649716171b6c6e4fffca2daa3
Opcode Fuzzy Hash: 8cb9250641d88e04c9549a7c4ee27f3c9deb9429e16c69c0833af973691f1b9d
Instruction Fuzzy Hash: 7DF0F4B199030DFBDF00DFE49C89EAEBBBCFB08644F504565E501E2181E774AA449A54

Function 008CC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 008CC36C

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 8493b9b5154d63a0d7f7b003ef6133701b5889c61f711b6635f2947e576303d2
Instruction ID: f5ded11ae42a2288b76196199f2a76ffe71019eef6a044699d87e13e5c8d7a72
Opcode Fuzzy Hash: 8493b9b5154d63a0d7f7b003ef6133701b5889c61f711b6635f2947e576303d2
Instruction Fuzzy Hash: CC412672900219AFCB249FB9DC89EAB77B8FB84354F10826DF909D7280E670DD81CB50

Function 008ED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008ED28C

Strings

X64, xrefs: 008ED2A8

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 81dc27d0ea430a67abc2b4e79761d8c45c0193899caadc9d788e710f7a802265
Instruction ID: f1bc18c6a3619718e1176d6ccd1abae70be427624eee6f39b1df23953b87fc4b
Opcode Fuzzy Hash: 81dc27d0ea430a67abc2b4e79761d8c45c0193899caadc9d788e710f7a802265
Instruction Fuzzy Hash: 94D0C9B581521DEACF90CB90DC88DDDB37CFB05309F100151F106E2000D73095499F10

Function 008BCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 8e7a043f67056e8580028e0abeb7d3b4227755c0e6337818f5cd5acd793377cc
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 7C021D71E001199BDF14CFA9C8906EEFBF1FF58314F25416AD819EB384D731A9458B94

Function 009068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00906918
FindClose.KERNEL32(00000000), ref: 00906961

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fab78604e89499754a705fb1dbea7a9210a7ac14520668ae40bf46de83323823
Instruction ID: 543ab83f36eec38df2c3e138049afa2829be0d19d2061739043b1994ca31828a
Opcode Fuzzy Hash: fab78604e89499754a705fb1dbea7a9210a7ac14520668ae40bf46de83323823
Instruction Fuzzy Hash: F11190726142019FC710DF29D484A1ABBE5FF85328F18C699F4798F6A2CB30EC05CB91

Function 009037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00914891,?,?,00000035,?), ref: 009037E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00914891,?,?,00000035,?), ref: 009037F4

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 864a6b349a47e1604d9df0ca2440200c306950168e32c8ec6aaf0e073d94b541
Instruction ID: 9a4ca5b40512ce186ccdf3a638cb1947046ee263d1e01651cd1c01efea3b489f
Opcode Fuzzy Hash: 864a6b349a47e1604d9df0ca2440200c306950168e32c8ec6aaf0e073d94b541
Instruction Fuzzy Hash: 65F0ECB06042156AEB2057698C4DFDB375DEFC4761F000265F505D22C1D9609904C6F1

Function 008FB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 008FB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 008FB270

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d6a1ccb776ffb7bd3115e4926e0f11f6600e112bae9ea1e54b98b909c6b4646e
Instruction ID: 5138dbab3c3a328a21f68cc031c8c7a888a549a78203a5cf2704876abe1119fe
Opcode Fuzzy Hash: d6a1ccb776ffb7bd3115e4926e0f11f6600e112bae9ea1e54b98b909c6b4646e
Instruction Fuzzy Hash: 50F01D7181424DABDF159FA0C805BBE7BB4FF04309F108009F955A6191D379D6119F94

Function 008F10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008F11FC), ref: 008F10D4
CloseHandle.KERNEL32(?,?,008F11FC), ref: 008F10E9

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 97c72673541b792dbdbcaee11f6ca4b8c156eda8a467eb5ba77d7a1d20e6a42a
Instruction ID: cd9fc78de35963fe1fa90f7c91b1a7081fd1a9ef48da967d48937591b97473e4
Opcode Fuzzy Hash: 97c72673541b792dbdbcaee11f6ca4b8c156eda8a467eb5ba77d7a1d20e6a42a
Instruction Fuzzy Hash: 54E04F72018600EEFB352B65FC09E7777E9FB04320B20882DF6A5C04B1DB626CA1EB54

Function 0089CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 008E0C40

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 186f9b44ed5c3ecfcefe98c6f385916463b67cfe21c82f781b0687ad11160784
Instruction ID: 33a3508804177a6c6c691a5a4871062159bce6c7a6903618e073e2af9c69a583
Opcode Fuzzy Hash: 186f9b44ed5c3ecfcefe98c6f385916463b67cfe21c82f781b0687ad11160784
Instruction Fuzzy Hash: 4932AF70900218DBDF14EF94C884AEDB7B5FF05308F284469E806EB282DBB6AD45CF61

Function 008C676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008C6766,?,?,00000008,?,?,008CFEFE,00000000), ref: 008C6998

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ab1074be47311f34f96de73b8e98b033f2ebbeccf47b90006461de312ee77244
Instruction ID: 3ebf78dd3ce3ceaae0b3e6bc00695da5c9bf64f1c53ce18cab245bbf387b50b3
Opcode Fuzzy Hash: ab1074be47311f34f96de73b8e98b033f2ebbeccf47b90006461de312ee77244
Instruction Fuzzy Hash: C0B139316106099FD715CF28C486F657BB0FF45368F29866CE89ACF2A2D335E9A5CB40

Function 008AB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 008E851F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 90faa77beb16d537957ff3b2c6d6ec804cce5aae33e6a766efdd37142330007d
Instruction ID: 3796aedafd440bc82f86346223dd0c0d304e35e8c267220519dcb2b37a84de7c
Opcode Fuzzy Hash: 90faa77beb16d537957ff3b2c6d6ec804cce5aae33e6a766efdd37142330007d
Instruction Fuzzy Hash: A6124F71900229DFDB24CF59C8806AEB7F5FF49710F14819AE849EB256EB349E81CF94

Function 0090EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0090EABD

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 99a28d8ca4835f42951cad1c92e13973b2eb082c06982d4c77f12483677a5896
Instruction ID: 94a5900aacd18900c96d8b49605da666cc9443bccb11b0bed56fcbaf1c4a1e67
Opcode Fuzzy Hash: 99a28d8ca4835f42951cad1c92e13973b2eb082c06982d4c77f12483677a5896
Instruction Fuzzy Hash: 32E01A362102049FC710EF59E804E9AB7E9FF98760F048816FC49C72A1DAB0A8418BA1

Function 008B09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008B03EE), ref: 008B09DA

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9e65ebebed2c086320c7da9a7b34bf468fafceea00670548a216a338834796f2
Instruction ID: 012cbcde61fd796d938ca59ca2388a08b1776bc3aecc37c4f8d2048ced31be03
Opcode Fuzzy Hash: 9e65ebebed2c086320c7da9a7b34bf468fafceea00670548a216a338834796f2
Instruction Fuzzy Hash:

Function 008B781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 008B798B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6d2279e781342056ee57ff26188913dddb2e7bdb7da84e4abbe3da2c5e0eec55
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4C519B7160C74A9BDB38453C885E7FE2B89FBD2344F180539D882D7782CA19EE01D35A

Function 008C6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0e544ed109c3d42458b32f2cba763cc0f93d78713146b18242217323309a2b
Instruction ID: 8d560dcac462a700ae4688b08ac2230056c0cef57f0b33cf0e9b9f58c8961718
Opcode Fuzzy Hash: 0a0e544ed109c3d42458b32f2cba763cc0f93d78713146b18242217323309a2b
Instruction Fuzzy Hash: AE320F22D2DF014DD7239634D822336A659EFB73D5F15C32BE82AB5AA5EB39C4835900

Function 008ACC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9307d7b7cb8f6403a20fef37084d31ab747b8e44f87f713aaf7c542a1ee4503
Instruction ID: d32a5fdeeccd8ab0ef37509fc4a300decb05b76483749c6cd5c985d7e2bbad37
Opcode Fuzzy Hash: c9307d7b7cb8f6403a20fef37084d31ab747b8e44f87f713aaf7c542a1ee4503
Instruction Fuzzy Hash: 89321732E041998BDF28CF2BC49067D7BA1FB47324F28856AD95ACB691D230DD83DB41

Function 00897920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87f71963b410b90280914bbbf012d8d5c399378c2d53a5a04aa1d44b2d3ad02
Instruction ID: c491e26ebc7e5bd415a6b74a87320e60fdc13adf04f9fcea5d68da108b1f5524
Opcode Fuzzy Hash: a87f71963b410b90280914bbbf012d8d5c399378c2d53a5a04aa1d44b2d3ad02
Instruction Fuzzy Hash: AE22BEB0A04609DFDF14DFA9D881AAEB7F6FF44314F14462AE812E7391EB35A910CB51

Function 008991C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc07da638dac8fb0cb9222eee4432cbf7b120e30061da66bd44ad73345178f8
Instruction ID: d484b55bb4d79ddd7781b6bb5ccbf6ac4248348740b70de72a7becdb179fd87d
Opcode Fuzzy Hash: 5cc07da638dac8fb0cb9222eee4432cbf7b120e30061da66bd44ad73345178f8
Instruction Fuzzy Hash: A202D7B0A10219EBDF05EF58D881AADB7B1FF44304F548169E456DF391EB31EA20CB91

Function 008C9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff3edd6255d7b5bb019be3aa878be334fbd1931c3d21a8457645b9eac66f20a
Instruction ID: 8f25d54925586857b1c03654cc1119773e7d9d67fabe012132234a80fa2502d1
Opcode Fuzzy Hash: 4ff3edd6255d7b5bb019be3aa878be334fbd1931c3d21a8457645b9eac66f20a
Instruction Fuzzy Hash: 5EB10020E7AF454DC32396398831336B65CAFBB6D9F91D31BFC2674D22EB2286835540

Function 008B1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a58a3c8cbae874bd564fbba1771193ebed21fdcc09031891d44a14a1ce89c9bb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BF9156722080E349DF694639857C0BEFFE1EA523A139E079DD4F2CE2C5EE14D554D620

Function 008B1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 8fb18d6708ae5566dfe820ed83fedafa65d3c248a528fb986a6a076bec108fb2
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0F9165722094E349DB29423D84784BEFFE1EA923A135A079DD4F2CF3C5EE249555E720

Function 008B19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 63f1cfeffacc0a6747ac0c4b8d917134d2e75d1e2f763da6c61d38343762c689
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 149154722090E34ADF69427A857C0BEFFE1EA923B139A079DD4F2CE2C5FE14D5549620

Function 008B7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33daec84568925edb1c98a0d3c5cc7b5d11f8eb2e295e313eaaa693ef904380
Instruction ID: 7ae6cc7b58c6c28d904a2e26dd8197dd76d168f410db86e762759649db0ffa11
Opcode Fuzzy Hash: f33daec84568925edb1c98a0d3c5cc7b5d11f8eb2e295e313eaaa693ef904380
Instruction Fuzzy Hash: 07616671208719A6DE749A2C8CA5BFF2398FFC1764F20191EE942DB3D1DA119E42CB16

Function 008B7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f432f3f35a5d0c065ecc4a8fe356dfb5d5bb45531fafa5d93b6b9fe765f58ed5
Instruction ID: 48b617adbdd8b1505ab4ef645723e9ff8f4ee989caa062fe37450df4f647a370
Opcode Fuzzy Hash: f432f3f35a5d0c065ecc4a8fe356dfb5d5bb45531fafa5d93b6b9fe765f58ed5
Instruction Fuzzy Hash: 76617A7120C70996DE385A2C88A5BFF2398FFC2B84F180959E943DF795DA12ED42C356

Function 008B1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: fcadcee6f49d448664cdaf79c6668415630b8200b5349d4cd2ff63dcaa3b0ec2
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 138164326080E349DF694239857C4BEFFE1FA923A139A07ADD4F2CF2C5EE149554D620

Function 00902046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb53829feddf2bbe588af80457db1bb516890a62e7477a6170255167b296e31
Instruction ID: eb4c0d34cdde56328c94cd2e4a54748b477d94b11493ccef1fec1bd8aa2a9796
Opcode Fuzzy Hash: fdb53829feddf2bbe588af80457db1bb516890a62e7477a6170255167b296e31
Instruction Fuzzy Hash: 1421B7326206158FD728CF79C82767E73E9A754310F25862EE4A7C37D0DE75A904DB80

Function 00912ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00912B30
DeleteObject.GDI32(00000000), ref: 00912B43
DestroyWindow.USER32 ref: 00912B52
GetDesktopWindow.USER32 ref: 00912B6D
GetWindowRect.USER32(00000000), ref: 00912B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00912CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00912CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912CF8
GetClientRect.USER32(00000000,?), ref: 00912D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00912D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912D80
GlobalLock.KERNEL32(00000000), ref: 00912D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912D98
GlobalUnlock.KERNEL32(00000000), ref: 00912DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912DA8
GlobalFree.KERNEL32(00000000), ref: 00912DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0092FC38,00000000), ref: 00912DDB
GlobalFree.KERNEL32(00000000), ref: 00912DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00912E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00912E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00912E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0091303F

Strings

DISPLAY, xrefs: 00912EA2
AutoIt v3, xrefs: 00912CF2
static, xrefs: 00912D3A, 00912E91
, xrefs: 00912FC5

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 236a69fa122e8138ea4f3c503ecb13bfaf77b54c38258eeaf0d98131353ea22d
Instruction ID: 6a34a2e13e29c24537a9c7d5ab03c4f1cf578e49551fc246d7933bc1cd0af82e
Opcode Fuzzy Hash: 236a69fa122e8138ea4f3c503ecb13bfaf77b54c38258eeaf0d98131353ea22d
Instruction Fuzzy Hash: 7A026BB1A14209EFDB14DF64DD89EAE7BB9FB48310F048158F915AB2A1CB70AD41DB60

Function 009270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0092712F
GetSysColorBrush.USER32(0000000F), ref: 00927160
GetSysColor.USER32(0000000F), ref: 0092716C
SetBkColor.GDI32(?,000000FF), ref: 00927186
SelectObject.GDI32(?,?), ref: 00927195
InflateRect.USER32(?,000000FF,000000FF), ref: 009271C0
GetSysColor.USER32(00000010), ref: 009271C8
CreateSolidBrush.GDI32(00000000), ref: 009271CF
FrameRect.USER32(?,?,00000000), ref: 009271DE
DeleteObject.GDI32(00000000), ref: 009271E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00927230
FillRect.USER32(?,?,?), ref: 00927262
GetWindowLongW.USER32(?,000000F0), ref: 00927284

Part of subcall function 009273E8: GetSysColor.USER32(00000012), ref: 00927421
Part of subcall function 009273E8: SetTextColor.GDI32(?,?), ref: 00927425
Part of subcall function 009273E8: GetSysColorBrush.USER32(0000000F), ref: 0092743B
Part of subcall function 009273E8: GetSysColor.USER32(0000000F), ref: 00927446
Part of subcall function 009273E8: GetSysColor.USER32(00000011), ref: 00927463
Part of subcall function 009273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00927471
Part of subcall function 009273E8: SelectObject.GDI32(?,00000000), ref: 00927482
Part of subcall function 009273E8: SetBkColor.GDI32(?,00000000), ref: 0092748B
Part of subcall function 009273E8: SelectObject.GDI32(?,?), ref: 00927498
Part of subcall function 009273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009274B7
Part of subcall function 009273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009274CE
Part of subcall function 009273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009274DB

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 470571313339aedfff14d9fa50db583ce0ddcf42911dae3f879e72156491137e
Instruction ID: ce342e66122ec6de006d848220b6ba6b493ef8fb8639ae98a8f7374140b6f674
Opcode Fuzzy Hash: 470571313339aedfff14d9fa50db583ce0ddcf42911dae3f879e72156491137e
Instruction Fuzzy Hash: 5FA190B201C311AFDB109FA0EC48E5EBBA9FF49320F100A19F962A61E1D774E945DB52

Function 008A8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008A8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 008E6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008E6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008E6F43

Part of subcall function 008A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008A8BE8,?,00000000,?,?,?,?,008A8BBA,00000000,?), ref: 008A8FC5

SendMessageW.USER32(?,00001053), ref: 008E6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008E6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 008E6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 008E6FB7

Strings

0, xrefs: 008E6DCF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ae516595d331af60aeaebcbfebaada2b3390f89de47b2572a260aef830f6e055
Instruction ID: 63f3f34c89e337fd1cbf0e886da772ce1c81f66a986b453117a5863f75425861
Opcode Fuzzy Hash: ae516595d331af60aeaebcbfebaada2b3390f89de47b2572a260aef830f6e055
Instruction Fuzzy Hash: BE12AD30208281DFDB25CF15D844BA9B7A1FF66350F184469F485CB661DB32EC62EF91

Function 00912711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0091273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0091286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009128A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009128B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00912900
GetClientRect.USER32(00000000,?), ref: 0091290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00912955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00912964
GetStockObject.GDI32(00000011), ref: 00912974
SelectObject.GDI32(00000000,00000000), ref: 00912978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00912988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00912991
DeleteDC.GDI32(00000000), ref: 0091299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009129C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009129DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00912A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00912A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00912A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00912A77
GetStockObject.GDI32(00000011), ref: 00912A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00912A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00912A97

Strings

msctls_progress32, xrefs: 00912A13
DISPLAY, xrefs: 0091295A
AutoIt v3, xrefs: 009128F8
static, xrefs: 0091294F, 00912A71

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1189a7a8d250b225ae9efacca6a4240f086f4bdd61c21f668d99fbdac3350a4f
Instruction ID: 995211b429da630368ffd87eed4e7dd97584aa1033c04927ad18faf1c1c89407
Opcode Fuzzy Hash: 1189a7a8d250b225ae9efacca6a4240f086f4bdd61c21f668d99fbdac3350a4f
Instruction Fuzzy Hash: 92B15CB1A10219AFEB24DF68DC4AFAE7BA9FB48710F044118F915E72A0D770ED40DB94

Function 00904ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00904AED
GetDriveTypeW.KERNEL32(?,0092CB68,?,\\.\,0092CC08), ref: 00904BCA
SetErrorMode.KERNEL32(00000000,0092CB68,?,\\.\,0092CC08), ref: 00904D36

Strings

ATA, xrefs: 00904C98
CDROM, xrefs: 00904BFB
SAS, xrefs: 00904CC9
Network, xrefs: 00904C02
Fixed, xrefs: 00904C09
Removable, xrefs: 00904C10, 00904C15
SSD, xrefs: 00904C4A
SCSI, xrefs: 00904C8A
Virtual, xrefs: 00904CE5
ATAPI, xrefs: 00904C91
1394, xrefs: 00904C9F
Unknown, xrefs: 00904BED, 00904C83
SSA, xrefs: 00904CA6
USB, xrefs: 00904CB4
PhysicalDrive, xrefs: 00904B76
RAMDisk, xrefs: 00904BF4
FileBackedVirtual, xrefs: 00904CEC
RAID, xrefs: 00904CBB
iSCSI, xrefs: 00904CC2
SATA, xrefs: 00904CD0
\\.\, xrefs: 00904B3F
MMC, xrefs: 00904CDE
Fibre, xrefs: 00904CAD

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 6041360c060942cea31cddd2b2c4438fd2a524252799363830bd47e73556843b
Instruction ID: cb69ecf66b9c0085fa0075ec05afd6d6d0dd206ecc923d342fffb0aedb5fe28a
Opcode Fuzzy Hash: 6041360c060942cea31cddd2b2c4438fd2a524252799363830bd47e73556843b
Instruction Fuzzy Hash: 8C61F4B0605205EFDB04EF28CA829BC77B4FB85305B684815FA86EB2D1DB35ED45DB42

Function 009273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00927421
SetTextColor.GDI32(?,?), ref: 00927425
GetSysColorBrush.USER32(0000000F), ref: 0092743B
GetSysColor.USER32(0000000F), ref: 00927446
CreateSolidBrush.GDI32(?), ref: 0092744B
GetSysColor.USER32(00000011), ref: 00927463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00927471
SelectObject.GDI32(?,00000000), ref: 00927482
SetBkColor.GDI32(?,00000000), ref: 0092748B
SelectObject.GDI32(?,?), ref: 00927498
InflateRect.USER32(?,000000FF,000000FF), ref: 009274B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009274CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009274DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0092752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00927554
InflateRect.USER32(?,000000FD,000000FD), ref: 00927572
DrawFocusRect.USER32(?,?), ref: 0092757D
GetSysColor.USER32(00000011), ref: 0092758E
SetTextColor.GDI32(?,00000000), ref: 00927596
DrawTextW.USER32(?,009270F5,000000FF,?,00000000), ref: 009275A8
SelectObject.GDI32(?,?), ref: 009275BF
DeleteObject.GDI32(?), ref: 009275CA
SelectObject.GDI32(?,?), ref: 009275D0
DeleteObject.GDI32(?), ref: 009275D5
SetTextColor.GDI32(?,?), ref: 009275DB
SetBkColor.GDI32(?,?), ref: 009275E5

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 63877176207bf0b02902be2c26ea2c450dd6a0574c90ae2891700c4e06dfe8d7
Instruction ID: 8dbad1497412d644a5aed93bafa22f7300086d5d85bf287b55e2fac20b2a7958
Opcode Fuzzy Hash: 63877176207bf0b02902be2c26ea2c450dd6a0574c90ae2891700c4e06dfe8d7
Instruction Fuzzy Hash: 84617FB2908218AFDF119FA4DC49EAEBFB9EF08320F104115F911BB2A1D7749941DF90

Function 00920FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00921128
GetDesktopWindow.USER32 ref: 0092113D
GetWindowRect.USER32(00000000), ref: 00921144
GetWindowLongW.USER32(?,000000F0), ref: 00921199
DestroyWindow.USER32(?), ref: 009211B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009211ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0092120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0092121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00921232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00921245
IsWindowVisible.USER32(00000000), ref: 009212A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009212BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009212D0
GetWindowRect.USER32(00000000,?), ref: 009212E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0092130E
GetMonitorInfoW.USER32(00000000,?), ref: 00921328
CopyRect.USER32(?,?), ref: 0092133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009213AA

Strings

0, xrefs: 009210D3
(, xrefs: 0092131B
tooltips_class32, xrefs: 009211E6

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6aa4ded05b2af5672e65557cdbb2f70e33a42f13f34afab3e30456bde92fb793
Instruction ID: fa51971b49e5184415503678669f0e72b94fcc93963d7e9a6ea18577d16b067f
Opcode Fuzzy Hash: 6aa4ded05b2af5672e65557cdbb2f70e33a42f13f34afab3e30456bde92fb793
Instruction Fuzzy Hash: B6B1BD71608351AFDB10DF68D884B6EBBE9FF98310F00891CF9999B261C731E855CB92

Function 00920241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009202E5
_wcslen.LIBCMT ref: 0092031F
_wcslen.LIBCMT ref: 00920389
_wcslen.LIBCMT ref: 009203F1
_wcslen.LIBCMT ref: 00920475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009204C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00920504

Part of subcall function 008AF9F2: _wcslen.LIBCMT ref: 008AF9FD

Part of subcall function 008F223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008F2258
Part of subcall function 008F223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008F228A

Strings

GETSUBITEMCOUNT, xrefs: 00920384, 0092039F
VIEWCHANGE, xrefs: 00920675
SELECTALL, xrefs: 00920515
GETSELECTEDCOUNT, xrefs: 00920470, 0092048B
SELECT, xrefs: 00920548
DESELECT, xrefs: 0092059C
GETSELECTED, xrefs: 009205E1
GETTEXT, xrefs: 009203EC, 00920407
SELECTCLEAR, xrefs: 0092052D
ISSELECTED, xrefs: 009204DD
FINDITEM, xrefs: 00920627
GETITEMCOUNT, xrefs: 00920316, 00920337
SELECTINVERT, xrefs: 0092057E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 50a25c4f9726d1cafa137001f7101df2aa83703b53cd27087c59e521babe5fb6
Instruction ID: f1d62b31ccccd6f2f2b4885a16cb81594bee861245730126f44712a6bccfb974
Opcode Fuzzy Hash: 50a25c4f9726d1cafa137001f7101df2aa83703b53cd27087c59e521babe5fb6
Instruction Fuzzy Hash: ECE18E312082118FCB14EF29E55182AB7E6FFC8314B144A5DF8969B7A6DB30ED45CB42

Function 008A8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008A8968
GetSystemMetrics.USER32(00000007), ref: 008A8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008A899B
GetSystemMetrics.USER32(00000008), ref: 008A89A3
GetSystemMetrics.USER32(00000004), ref: 008A89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008A89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008A89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008A8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008A8A3C
GetClientRect.USER32(00000000,000000FF), ref: 008A8A5A
GetStockObject.GDI32(00000011), ref: 008A8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 008A8A81

Part of subcall function 008A912D: GetCursorPos.USER32(?), ref: 008A9141
Part of subcall function 008A912D: ScreenToClient.USER32(00000000,?), ref: 008A915E
Part of subcall function 008A912D: GetAsyncKeyState.USER32(00000001), ref: 008A9183
Part of subcall function 008A912D: GetAsyncKeyState.USER32(00000002), ref: 008A919D

SetTimer.USER32(00000000,00000000,00000028,008A90FC), ref: 008A8AA8

Strings

AutoIt v3 GUI, xrefs: 008A8A20

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 599bc078ee91bb18d52005095557587b4d661e64414c4a5a8fe882311fadc336
Instruction ID: f7af783eeb36cfb79f62100b357509e30695598b412e7331242ae1ada6a8f070
Opcode Fuzzy Hash: 599bc078ee91bb18d52005095557587b4d661e64414c4a5a8fe882311fadc336
Instruction Fuzzy Hash: 8BB17C71A0420AEFDB14DFA8DC45BAE3BB4FB49314F144229FA15E7290DB74E851CB61

Function 008F0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008F1114
Part of subcall function 008F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1120
Part of subcall function 008F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F112F
Part of subcall function 008F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1136
Part of subcall function 008F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008F0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008F0E29
GetLengthSid.ADVAPI32(?), ref: 008F0E40
GetAce.ADVAPI32(?,00000000,?), ref: 008F0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008F0E96
GetLengthSid.ADVAPI32(?), ref: 008F0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008F0EB5
HeapAlloc.KERNEL32(00000000), ref: 008F0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008F0EDD
CopySid.ADVAPI32(00000000), ref: 008F0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008F0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008F0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008F0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0F6E
HeapFree.KERNEL32(00000000), ref: 008F0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0F7E
HeapFree.KERNEL32(00000000), ref: 008F0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F0F8E
HeapFree.KERNEL32(00000000), ref: 008F0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 008F0FA1
HeapFree.KERNEL32(00000000), ref: 008F0FA8

Part of subcall function 008F1193: GetProcessHeap.KERNEL32(00000008,008F0BB1,?,00000000,?,008F0BB1,?), ref: 008F11A1
Part of subcall function 008F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008F0BB1,?), ref: 008F11A8
Part of subcall function 008F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008F0BB1,?), ref: 008F11B7

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e59855f4895eb9618f27940aa8dad63382c2f659357f1b4ccdc22f4d0a268a23
Instruction ID: 346d028c4e716a875ef0bd238261e3827b7df75ccb81dbc3e5ca946c324ccf8a
Opcode Fuzzy Hash: e59855f4895eb9618f27940aa8dad63382c2f659357f1b4ccdc22f4d0a268a23
Instruction Fuzzy Hash: D37139B290420AAFDF209FA4DC49FBEBBB8FF04310F144115EA59E6192DB719916CF60

Function 0091C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0091C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0092CC08,00000000,?,00000000,?,?), ref: 0091C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0091C5A4
_wcslen.LIBCMT ref: 0091C5F4
_wcslen.LIBCMT ref: 0091C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0091C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0091C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0091C84D
RegCloseKey.ADVAPI32(?), ref: 0091C881
RegCloseKey.ADVAPI32(00000000), ref: 0091C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0091C960

Strings

REG_MULTI_SZ, xrefs: 0091C6F5
REG_DWORD, xrefs: 0091C804
REG_EXPAND_SZ, xrefs: 0091C5CD
REG_QWORD, xrefs: 0091C8C3
REG_BINARY, xrefs: 0091C913
REG_SZ, xrefs: 0091C644

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: d7fca27cad3dbf266abb23a4b501e46edf83af0337f208900c4f8171bd17e1b5
Instruction ID: dbb2e28134e274bb5fdd9c027fb076d65ed725687d9e2654d6c773893121d939
Opcode Fuzzy Hash: d7fca27cad3dbf266abb23a4b501e46edf83af0337f208900c4f8171bd17e1b5
Instruction Fuzzy Hash: DA124E757082019FDB14EF18C491A6AB7E5FF88714F19885CF85A9B3A2DB31ED41CB82

Function 0092091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009209C6
_wcslen.LIBCMT ref: 00920A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00920A54
_wcslen.LIBCMT ref: 00920A8A
_wcslen.LIBCMT ref: 00920B06
_wcslen.LIBCMT ref: 00920B81

Part of subcall function 008AF9F2: _wcslen.LIBCMT ref: 008AF9FD

Part of subcall function 008F2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008F2BFA

Strings

UNCHECK, xrefs: 00920D3E
SELECT, xrefs: 00920D11
EXPAND, xrefs: 00920BF8
ISCHECKED, xrefs: 00920CE1
EXISTS, xrefs: 00920B7C, 00920B97
GETITEMCOUNT, xrefs: 00920C1E
GETSELECTED, xrefs: 00920C4E
COLLAPSE, xrefs: 00920B01, 00920B1C
CHECK, xrefs: 00920A85, 00920AA0
GETTEXT, xrefs: 00920C97
GETTOTALCOUNT, xrefs: 009209F2, 00920A17

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 3a3d0072712252ec30bb009527a60a4b11981c01be3b9fc4e04fc1af7647eafc
Instruction ID: 36851e93b13d0700d3903be91444e3b69286c06b4e12eae5e0faf36805e16609
Opcode Fuzzy Hash: 3a3d0072712252ec30bb009527a60a4b11981c01be3b9fc4e04fc1af7647eafc
Instruction Fuzzy Hash: 72E19A312083118FCB24EF29D45092AB7E5FFD8314B54895CF8969B7A6D731EE49CB82

Function 0091C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0091B6AE,?,?), ref: 0091C9B5
_wcslen.LIBCMT ref: 0091C9F1
_wcslen.LIBCMT ref: 0091CA68
_wcslen.LIBCMT ref: 0091CA9E
_wcslen.LIBCMT ref: 0091CAF9
_wcslen.LIBCMT ref: 0091CB2F
_wcslen.LIBCMT ref: 0091CB7F

Strings

HKCU, xrefs: 0091CBCE
HKEY_CURRENT_USER, xrefs: 0091CBBD
HKEY_CURRENT_CONFIG, xrefs: 0091CB79, 0091CB7E
HKCC, xrefs: 0091CBAC
HKEY_LOCAL_MACHINE, xrefs: 0091CA62, 0091CA67
HKEY_CLASSES_ROOT, xrefs: 0091CAF3, 0091CAF8
HKLM, xrefs: 0091CA98, 0091CA9D
HKEY_USERS, xrefs: 0091CBDF
HKU, xrefs: 0091CBF0
HKCR, xrefs: 0091CB29, 0091CB2E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ac290968f3646a4b90f5715363c90e5db829b235ab604cfe340a24e6a5c56997
Instruction ID: 5f11c8b97a21faa24205c1577a50a044a91b56d019108500f3e60ded3e626a51
Opcode Fuzzy Hash: ac290968f3646a4b90f5715363c90e5db829b235ab604cfe340a24e6a5c56997
Instruction Fuzzy Hash: AF7102B278412E8BCB20DEAC99415FF3399AF60750B250528FC66E7285E634CEC4C3A1

Function 0092833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092835A
_wcslen.LIBCMT ref: 0092836E
_wcslen.LIBCMT ref: 00928391
_wcslen.LIBCMT ref: 009283B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009283F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00925BF2), ref: 0092844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00928487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009284CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00928501
FreeLibrary.KERNEL32(?), ref: 0092850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0092851D
DestroyIcon.USER32(?,?,?,?,?,00925BF2), ref: 0092852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00928549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00928555

Strings

.dll, xrefs: 009283AB
.icl, xrefs: 00928368
.exe, xrefs: 00928388

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a6b6308bf68d99e959a0c7f80cbc4940a70b10633db3d9146b022fe30b25f5cc
Instruction ID: 1a150d607e0e99131ebd882663a1d5f2aa23efc7a76d8f7f58d20cb674d40e3a
Opcode Fuzzy Hash: a6b6308bf68d99e959a0c7f80cbc4940a70b10633db3d9146b022fe30b25f5cc
Instruction Fuzzy Hash: 7261CDB1514225BAEB24DB64EC42FBF77ACFF08B11F104509F815D61E1DB74AA80D7A0

Function 00897778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 008D528C
#requireadmin, xrefs: 008977FF
#notrayicon, xrefs: 008977E7
#comments-end, xrefs: 008978D9
#comments-start, xrefs: 0089785F, 008978B1
Cannot parse #include, xrefs: 008D5279
#include-once, xrefs: 0089782F
#OnAutoItStartRegister, xrefs: 00897817
', xrefs: 008D5169
#ce, xrefs: 008978ED
Bad directive syntax error, xrefs: 008D519A
#cs, xrefs: 00897873, 008978C5
#pragma compile, xrefs: 008977D3
#include, xrefs: 00897847
", xrefs: 008D5153

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f3f3ef9cd78e744efeaa208bc38c7a3f89f0b46585aa4beeebe62f72f3ff61f1
Instruction ID: 0d75b6f5fcbd025d37724ca87dc5a30abf8feb1e8b6a047119b24522217bfed0
Opcode Fuzzy Hash: f3f3ef9cd78e744efeaa208bc38c7a3f89f0b46585aa4beeebe62f72f3ff61f1
Instruction Fuzzy Hash: 97811671610205BBDF20BF68DC42FAE37A9FF55304F084026F904EA296EB70D911C792

Function 00903E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00903EF8
_wcslen.LIBCMT ref: 00903F03
_wcslen.LIBCMT ref: 00903F5A
_wcslen.LIBCMT ref: 00903F98
GetDriveTypeW.KERNEL32(?), ref: 00903FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0090401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00904059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00904087

Strings

open , xrefs: 00903FE5
set cd door , xrefs: 00904028
open, xrefs: 00903F54, 00903F59
closed, xrefs: 00903F08, 00903F2D, 00903F46, 00903F7E, 00903F97
close cd wait, xrefs: 00904072
close, xrefs: 00903EFE, 00903F18
wait, xrefs: 00904044
type cdaudio alias cd wait, xrefs: 00904001

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 6bf85bf7eead04c398aec3ba685a7f315c0a972ec95a4a1d49d3c0597817c059
Instruction ID: 01b81920c839b0c5e302fba9f0feaa2f6be6c9eb45d673df15b14dd3b8ad9ab6
Opcode Fuzzy Hash: 6bf85bf7eead04c398aec3ba685a7f315c0a972ec95a4a1d49d3c0597817c059
Instruction Fuzzy Hash: 0771C3726042029FC710EF29C88186AB7F8FF94758F44892DFA95D7291EB31DD49CB92

Function 008F5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 008F5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008F5A40
SetWindowTextW.USER32(?,?), ref: 008F5A57
GetDlgItem.USER32(?,000003EA), ref: 008F5A6C
SetWindowTextW.USER32(00000000,?), ref: 008F5A72
GetDlgItem.USER32(?,000003E9), ref: 008F5A82
SetWindowTextW.USER32(00000000,?), ref: 008F5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008F5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008F5AC3
GetWindowRect.USER32(?,?), ref: 008F5ACC
_wcslen.LIBCMT ref: 008F5B33
SetWindowTextW.USER32(?,?), ref: 008F5B6F
GetDesktopWindow.USER32 ref: 008F5B75
GetWindowRect.USER32(00000000), ref: 008F5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008F5BD3
GetClientRect.USER32(?,?), ref: 008F5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 008F5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008F5C2F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 400b6b9a59771327a1c361cbb33ce9148dcf448a82912c5d589fce6643a3d877
Instruction ID: 027f927f3aedcbec47dc18534339ade6e1164135eaa46213bafcdb2ba8e01b2e
Opcode Fuzzy Hash: 400b6b9a59771327a1c361cbb33ce9148dcf448a82912c5d589fce6643a3d877
Instruction Fuzzy Hash: 8B717C71900B09AFDB20DFB8CE89AAEBBF5FF48714F104918E642E25A0D775E944DB50

Function 0090FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0090FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0090FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0090FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0090FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0090FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0090FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0090FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0090FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0090FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0090FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0090FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0090FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0090FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0090FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0090FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0090FECC
GetCursorInfo.USER32(?), ref: 0090FEDC
GetLastError.KERNEL32 ref: 0090FF1E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: e8d9bc88d9980066217ac6da7e0e1cdb427f7b1c37eb349e582c5e8b0185612c
Instruction ID: 81baf36202fa9cb68e66fec38c45e5f2a1343b9a492db8dd19307e8c209375af
Opcode Fuzzy Hash: e8d9bc88d9980066217ac6da7e0e1cdb427f7b1c37eb349e582c5e8b0185612c
Instruction Fuzzy Hash: FE4124B0D0831A6EDB20DFBA8C8585EBFE8FF04754B54452AE11DE7681DB78A901CE91

Function 008B00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008B00C6

Part of subcall function 008B00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0096070C,00000FA0,8ACCAA05,?,?,?,?,008D23B3,000000FF), ref: 008B011C
Part of subcall function 008B00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008D23B3,000000FF), ref: 008B0127
Part of subcall function 008B00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008D23B3,000000FF), ref: 008B0138
Part of subcall function 008B00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008B014E
Part of subcall function 008B00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008B015C
Part of subcall function 008B00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008B016A
Part of subcall function 008B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008B0195
Part of subcall function 008B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008B01A0

___scrt_fastfail.LIBCMT ref: 008B00E7

Part of subcall function 008B00A3: __onexit.LIBCMT ref: 008B00A9

Strings

WakeAllConditionVariable, xrefs: 008B0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 008B0122
kernel32.dll, xrefs: 008B0133
SleepConditionVariableCS, xrefs: 008B0154
InitializeConditionVariable, xrefs: 008B0148

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 11d064739a0c6e0695680c60dc5d59ba7604917685a10e1e62206854ac734a2e
Instruction ID: a09372293641f23204d03a27e1c9ba25eb601ea3e35ee715373768b483376e57
Opcode Fuzzy Hash: 11d064739a0c6e0695680c60dc5d59ba7604917685a10e1e62206854ac734a2e
Instruction Fuzzy Hash: 5B213872A5C7116FE7246BA8AC46BAF33A4FB85B55F000539F901E73D2DBB09C009E91

Function 008F30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008F318D
_wcslen.LIBCMT ref: 008F31F8

Strings

NAME, xrefs: 008F3335, 008F3346
INSTANCE, xrefs: 008F3453
CLASS, xrefs: 008F3188, 008F31A5
REGEXPCLASS, xrefs: 008F3255, 008F3266
CLASSNN, xrefs: 008F31F3, 008F3204
TEXT, xrefs: 008F347C

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 4396c42767ef1b9ab9ad895d2779f8f66fa55ea78c503fcbf092cb4dfc1e90c5
Instruction ID: 59a2f8f0fc1a7f0d61cc5cfecd575cdba3a9e972c4962071f472faf3dedca110
Opcode Fuzzy Hash: 4396c42767ef1b9ab9ad895d2779f8f66fa55ea78c503fcbf092cb4dfc1e90c5
Instruction Fuzzy Hash: 03E1D732A0061EABCB24DFB8C4516FEBBB4FF54714F548119EA56F7241DB30AE858790

Function 009044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0092CC08), ref: 00904527
_wcslen.LIBCMT ref: 0090453B
_wcslen.LIBCMT ref: 00904599
_wcslen.LIBCMT ref: 009045F4
_wcslen.LIBCMT ref: 0090463F
_wcslen.LIBCMT ref: 009046A7

Part of subcall function 008AF9F2: _wcslen.LIBCMT ref: 008AF9FD

GetDriveTypeW.KERNEL32(?,00956BF0,00000061), ref: 00904743

Strings

unknown, xrefs: 00904708
removable, xrefs: 009045EA, 009045EF
cdrom, xrefs: 0090458F, 00904594
ramdisk, xrefs: 009046F1
fixed, xrefs: 00904635, 0090463A
network, xrefs: 0090469D, 009046A2
all, xrefs: 00904531, 00904536

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ce5ff6729f6efbcc60a076c76038ec6007039c9c267e8913c8acd159ebc1937e
Instruction ID: 6597a32d29ead5a4147cf1bc1a05e3b0a5012d44e4c81428e8e1a9778f04b48c
Opcode Fuzzy Hash: ce5ff6729f6efbcc60a076c76038ec6007039c9c267e8913c8acd159ebc1937e
Instruction Fuzzy Hash: 08B1EFB16083029FC710EF28C891A6AB7E9FFA5720F54491DF696C72D1E731D844CB92

Function 00913FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0092CC08), ref: 009140BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009140CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0092CC08), ref: 009140F2
FreeLibrary.KERNEL32(00000000,?,0092CC08), ref: 0091413E
StringFromGUID2.OLE32(?,?,00000028,?,0092CC08), ref: 009141A8
SysFreeString.OLEAUT32(00000009), ref: 00914262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009142C8
SysFreeString.OLEAUT32(?), ref: 009142F2

Strings

GetModuleHandleExW, xrefs: 009140C7
kernel32.dll, xrefs: 009140B6

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 4f434b316393a81eb0956a0f46a052b684dab0307ee1475a2d40e80daeba9a16
Instruction ID: 64030f1247bdab1256b9df2f9f74f992bbadf8f32eb2ea26f78cc4cb89a7d59d
Opcode Fuzzy Hash: 4f434b316393a81eb0956a0f46a052b684dab0307ee1475a2d40e80daeba9a16
Instruction Fuzzy Hash: 7C125E75A00119EFDB14DF54C884EAEB7B9FF49318F248498F905AB261D731ED86CBA0

Function 0089326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00961990), ref: 008D2F8D
GetMenuItemCount.USER32(00961990), ref: 008D303D
GetCursorPos.USER32(?), ref: 008D3081
SetForegroundWindow.USER32(00000000), ref: 008D308A
TrackPopupMenuEx.USER32(00961990,00000000,?,00000000,00000000,00000000), ref: 008D309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008D30A9

Strings

0, xrefs: 0089327D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5322262e484b43d362bb6df72b2115858d2d6e3882e901223646b2e487091840
Instruction ID: 8df3f269f2580d52e1027245433edefff3d9c534152fdd734ad26f62ad8a2a93
Opcode Fuzzy Hash: 5322262e484b43d362bb6df72b2115858d2d6e3882e901223646b2e487091840
Instruction Fuzzy Hash: EA710571644209BAEB319B68CC49FAABF64FF55324F240216F514EA2E0C7B1A910DB91

Function 00926CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00926DEB

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00926E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00926E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00926E94
DestroyWindow.USER32(?), ref: 00926EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00890000,00000000), ref: 00926EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00926EFD
GetDesktopWindow.USER32 ref: 00926F16
GetWindowRect.USER32(00000000), ref: 00926F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00926F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00926F4D

Part of subcall function 008A9944: GetWindowLongW.USER32(?,000000EB), ref: 008A9952

Strings

tooltips_class32, xrefs: 00926E58, 00926EDD
0, xrefs: 00926D98

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 6ffb20eabf36a534808c6fe94aaf20030868ac6b2ba9f8c848477d4b7d1f61ad
Instruction ID: 134e74ff17452cfc44fb843a41eaa22dab59fcd847380df93b88ea61747ae6c4
Opcode Fuzzy Hash: 6ffb20eabf36a534808c6fe94aaf20030868ac6b2ba9f8c848477d4b7d1f61ad
Instruction Fuzzy Hash: 977168B4108245AFDB21DF18EC44FAABBF9FB89304F18081DF98997661D770A916DF12

Function 0092911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

DragQueryPoint.SHELL32(?,?), ref: 00929147

Part of subcall function 00927674: ClientToScreen.USER32(?,?), ref: 0092769A
Part of subcall function 00927674: GetWindowRect.USER32(?,?), ref: 00927710
Part of subcall function 00927674: PtInRect.USER32(?,?,00928B89), ref: 00927720

SendMessageW.USER32(?,000000B0,?,?), ref: 009291B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009291BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009291DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00929225
SendMessageW.USER32(?,000000B0,?,?), ref: 0092923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00929255
SendMessageW.USER32(?,000000B1,?,?), ref: 00929277
DragFinish.SHELL32(?), ref: 0092927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00929371

Strings

@GUI_DRAGID, xrefs: 009292E9
@GUI_DROPID, xrefs: 0092929E
@GUI_DRAGFILE, xrefs: 00929320

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: db9aa252ba815a9401998ef746d5222526415c2f775deda39c95b5546aacb481
Instruction ID: 612fa7255f85b01a366ebb03e90958835683291048eb2e2d79b4e8292f21e72f
Opcode Fuzzy Hash: db9aa252ba815a9401998ef746d5222526415c2f775deda39c95b5546aacb481
Instruction Fuzzy Hash: 31614771108301AFC715EF68DC85DAFBBE8FF89750F04092EF595921A1DB709A49CBA2

Function 0090C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0090C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0090C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0090C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0090C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0090C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0090C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0090C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0090C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0090C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0090C5F0
InternetCloseHandle.WININET(00000000), ref: 0090C5FB

Strings

, xrefs: 0090C575

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: c757150d21291f4e45d547cdf4f57ef06ca0ba8f0d1e86424bb4ee78aeebd60b
Instruction ID: 26b17c8f926a336a4190753c0810a4ba097d85d72b5b7157e440c4eed2735d58
Opcode Fuzzy Hash: c757150d21291f4e45d547cdf4f57ef06ca0ba8f0d1e86424bb4ee78aeebd60b
Instruction Fuzzy Hash: 93515AF4504609BFDB219F60CD88AAB7BBCFF08754F004619F94596290DB34E945ABA0

Function 0092856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00928592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009285A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009285AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009285BA
GlobalLock.KERNEL32(00000000), ref: 009285C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009285D7
GlobalUnlock.KERNEL32(00000000), ref: 009285E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009285E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009285F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0092FC38,?), ref: 00928611
GlobalFree.KERNEL32(00000000), ref: 00928621
GetObjectW.GDI32(?,00000018,?), ref: 00928641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00928671
DeleteObject.GDI32(?), ref: 00928699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009286AF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 48a8f571b638fc57e619e91d6ef9ca7a3f80f3bffc80784e3598220c7a0f8e9f
Instruction ID: 1721ac766a38eeac7c78c9de9f56c92e3ae315003c3b5913ba33ea99fe75d8bc
Opcode Fuzzy Hash: 48a8f571b638fc57e619e91d6ef9ca7a3f80f3bffc80784e3598220c7a0f8e9f
Instruction Fuzzy Hash: D24129B5605214AFDB21DFA5DC48EAF7BBCEF89715F104058F915E7260DB30A902DB60

Function 009014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00901502
VariantCopy.OLEAUT32(?,?), ref: 0090150B
VariantClear.OLEAUT32(?), ref: 00901517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009015FB
VarR8FromDec.OLEAUT32(?,?), ref: 00901657
VariantInit.OLEAUT32(?), ref: 00901708
SysFreeString.OLEAUT32(?), ref: 0090178C
VariantClear.OLEAUT32(?), ref: 009017D8
VariantClear.OLEAUT32(?), ref: 009017E7
VariantInit.OLEAUT32(00000000), ref: 00901823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00901625
Default, xrefs: 009016AF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 75b267fd4d0dcd66159d8e5b27225875b1d539c169479e5d6ce5269df17ebc9b
Instruction ID: f90d61c670022697872ba936d62584c7bd5801eb7d19a1cdc0314fe7276b2926
Opcode Fuzzy Hash: 75b267fd4d0dcd66159d8e5b27225875b1d539c169479e5d6ce5269df17ebc9b
Instruction Fuzzy Hash: 69D1ED71A00205DFEB10AFA9E885B6DB7B9FF45700F14845AF406AF5D1DB34E841EBA2

Function 0091B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 0091C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0091B6AE,?,?), ref: 0091C9B5
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091C9F1
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA68
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0091B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0091B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0091B80A
RegCloseKey.ADVAPI32(?), ref: 0091B87E
RegCloseKey.ADVAPI32(?), ref: 0091B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0091B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0091B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0091B922
FreeLibrary.KERNEL32(00000000), ref: 0091B983
RegCloseKey.ADVAPI32(00000000), ref: 0091B994

Strings

advapi32.dll, xrefs: 0091B8ED
RegDeleteKeyExW, xrefs: 0091B8FE

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: a0812b47da977a0a4b1bc42017614de316a8ff77f0e9a0c42eed541909365e91
Instruction ID: 5e3629db2249386a3221d41a460348e938091e0fff1d3adebb8a8cf1e0472fa6
Opcode Fuzzy Hash: a0812b47da977a0a4b1bc42017614de316a8ff77f0e9a0c42eed541909365e91
Instruction Fuzzy Hash: 86C19331208205AFD714DF18C495F6ABBE5FF84318F18845CF4598B2A2CB75ED86CB92

Function 0091255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009125D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009125E8
CreateCompatibleDC.GDI32(?), ref: 009125F4
SelectObject.GDI32(00000000,?), ref: 00912601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0091266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009126AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009126D0
SelectObject.GDI32(?,?), ref: 009126D8
DeleteObject.GDI32(?), ref: 009126E1
DeleteDC.GDI32(?), ref: 009126E8
ReleaseDC.USER32(00000000,?), ref: 009126F3

Strings

(, xrefs: 0091268D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c2a723bd43ea1ad80157176d1fc3a1b69fff65933d7ecb2c860196bb1ee38fad
Instruction ID: fab7493158b5d5f40d5cdf84bfc635e4e68d0897885aae7403c48c4f22ff7cbe
Opcode Fuzzy Hash: c2a723bd43ea1ad80157176d1fc3a1b69fff65933d7ecb2c860196bb1ee38fad
Instruction Fuzzy Hash: 696124B5E00219EFCF14DFA8C884AAEBBF5FF48300F20842AE955A7250D730A951DF90

Function 008CDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008CDAA1

Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD659
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD66B
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD67D
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD68F
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6A1
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6B3
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6C5
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6D7
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6E9
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD6FB
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD70D
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD71F
Part of subcall function 008CD63C: _free.LIBCMT ref: 008CD731

_free.LIBCMT ref: 008CDA96

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008CDAB8
_free.LIBCMT ref: 008CDACD
_free.LIBCMT ref: 008CDAD8
_free.LIBCMT ref: 008CDAFA
_free.LIBCMT ref: 008CDB0D
_free.LIBCMT ref: 008CDB1B
_free.LIBCMT ref: 008CDB26
_free.LIBCMT ref: 008CDB5E
_free.LIBCMT ref: 008CDB65
_free.LIBCMT ref: 008CDB82
_free.LIBCMT ref: 008CDB9A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 51666cde5c20e825158e4b85a718ea6d54c49a7dcd7614b53d3ac4692ad43481
Instruction ID: a5bcbabbe0bf8d22c350414f9e0d3a63147751a398206b7e213e64f3b44b27d2
Opcode Fuzzy Hash: 51666cde5c20e825158e4b85a718ea6d54c49a7dcd7614b53d3ac4692ad43481
Instruction Fuzzy Hash: 463116726047059FEB22BA39E845F5ABBF9FF10361F15842DE449D7192DA31EC84CB21

Function 008F365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008F369C
_wcslen.LIBCMT ref: 008F36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008F3797
GetClassNameW.USER32(?,?,00000400), ref: 008F380C
GetDlgCtrlID.USER32(?), ref: 008F385D
GetWindowRect.USER32(?,?), ref: 008F3882
GetParent.USER32(?), ref: 008F38A0
ScreenToClient.USER32(00000000), ref: 008F38A7
GetClassNameW.USER32(?,?,00000100), ref: 008F3921
GetWindowTextW.USER32(?,?,00000400), ref: 008F395D

Strings

%s%u, xrefs: 008F3734

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2e95c1220fbd6d3e33711183c995f07568f55faed9d7aaa39a8c8fa216cb390a
Instruction ID: 0b17a7deaad95e3e56a53c8ebcdfb61eab94f0538aaced37cbeab6a0e52ef008
Opcode Fuzzy Hash: 2e95c1220fbd6d3e33711183c995f07568f55faed9d7aaa39a8c8fa216cb390a
Instruction Fuzzy Hash: C291D27120460AAFD718DF34C885BFAF7A8FF44354F008629FA99D2190DB74EA46CB91

Function 008F4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 008F4994
GetWindowTextW.USER32(?,?,00000400), ref: 008F49DA
_wcslen.LIBCMT ref: 008F49EB
CharUpperBuffW.USER32(?,00000000), ref: 008F49F7
_wcsstr.LIBVCRUNTIME ref: 008F4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 008F4A64
GetWindowTextW.USER32(?,?,00000400), ref: 008F4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 008F4AE6
GetClassNameW.USER32(?,?,00000400), ref: 008F4B20
GetWindowRect.USER32(?,?), ref: 008F4B8B

Strings

ThumbnailClass, xrefs: 008F4A6F, 008F4AF1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 17142e4e9d0999907251aaff9f969d8502496d7bbb5a8e97b5f069f6b0300c0f
Instruction ID: a8bda7ab5d510cf104eabde8e7329c91a6d9d4caa9cc6f6bbf26da947c9a4810
Opcode Fuzzy Hash: 17142e4e9d0999907251aaff9f969d8502496d7bbb5a8e97b5f069f6b0300c0f
Instruction Fuzzy Hash: 14919E7110820A9FDB04DF68C985BBB77A8FF84314F04546AFE85DA196DB30ED45CBA2

Function 00928D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00928D5A
GetFocus.USER32 ref: 00928D6A
GetDlgCtrlID.USER32(00000000), ref: 00928D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00928E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00928ECF
GetMenuItemCount.USER32(?), ref: 00928EEC
GetMenuItemID.USER32(?,00000000), ref: 00928EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00928F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00928F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00928FA1

Strings

0, xrefs: 00928E9F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 6de33726963f29668486023750704b74bb1f7f1f1e854b96fc1c3c3115c71518
Instruction ID: ebb79f9b079132b0076ea2b36a2d106c25b56f5119babf87d30600e449eaf93b
Opcode Fuzzy Hash: 6de33726963f29668486023750704b74bb1f7f1f1e854b96fc1c3c3115c71518
Instruction Fuzzy Hash: 1381BE71509321AFDB20DF24E984AABBBE9FF88314F04091DF984D7295DB70D905DBA2

Function 008FBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00961990,000000FF,00000000,00000030), ref: 008FBFAC
SetMenuItemInfoW.USER32(00961990,00000004,00000000,00000030), ref: 008FBFE1
Sleep.KERNEL32(000001F4), ref: 008FBFF3
GetMenuItemCount.USER32(?), ref: 008FC039
GetMenuItemID.USER32(?,00000000), ref: 008FC056
GetMenuItemID.USER32(?,-00000001), ref: 008FC082
GetMenuItemID.USER32(?,?), ref: 008FC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008FC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008FC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008FC145

Strings

0, xrefs: 008FBF3D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 05a9c9242013aa24afd3bb5dec0f3560abb80a98753b24c5a07f31fea172c1e1
Instruction ID: 8848b8c916d710df1abbe444cd5c2eb10d8081ab130ad060536fcdd3a87893d4
Opcode Fuzzy Hash: 05a9c9242013aa24afd3bb5dec0f3560abb80a98753b24c5a07f31fea172c1e1
Instruction Fuzzy Hash: BB617CB091424EAFDB25CF68CE88EBE7BA8FB45344F040115FA11E3291CB31AE55DB61

Function 008FDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 008FDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008FDC46
_wcslen.LIBCMT ref: 008FDC50
_wcsstr.LIBVCRUNTIME ref: 008FDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008FDCBC

Strings

%u.%u.%u.%u, xrefs: 008FDD9A
StringFileInfo\, xrefs: 008FDC8F
DefaultLangCodepage, xrefs: 008FDD1F
\VarFileInfo\Translation, xrefs: 008FDCB4
04090000, xrefs: 008FDCF2

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 2c6759934c0260e40de0fcb0d267542f4060c8c46176ee77306776d60fafc3c5
Instruction ID: b6b45a5319256230cc405a09e5fd98ecd2887c716b1d65fe59ff68bedb36ecab
Opcode Fuzzy Hash: 2c6759934c0260e40de0fcb0d267542f4060c8c46176ee77306776d60fafc3c5
Instruction Fuzzy Hash: C1410072A443087BEB14B7799C43EFF37ACFF56710F100069FB00E6283EA20990196A6

Function 0091CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0091CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0091CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0091CD48

Part of subcall function 0091CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0091CCAA
Part of subcall function 0091CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0091CCBD
Part of subcall function 0091CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0091CCCF
Part of subcall function 0091CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0091CD05
Part of subcall function 0091CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0091CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0091CCF3

Strings

advapi32.dll, xrefs: 0091CCB8
RegDeleteKeyExW, xrefs: 0091CCC9

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f47b0e006fca1e1abee4361665562402774e1a78f7bede7e799cd7998e39a4de
Instruction ID: 7ab21cb55a26f3840793506fdfa9a3ff2531cba8d40758b6bb2a8227d4343d55
Opcode Fuzzy Hash: f47b0e006fca1e1abee4361665562402774e1a78f7bede7e799cd7998e39a4de
Instruction Fuzzy Hash: BA319EB5A8512CBBDB218B51DC88EFFBB7CEF45740F000465A905E2241DA748E86EAA0

Function 00903D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00903D40
_wcslen.LIBCMT ref: 00903D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00903D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00903DBE
RemoveDirectoryW.KERNEL32(?), ref: 00903DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00903E55
CloseHandle.KERNEL32(00000000), ref: 00903E60
CloseHandle.KERNEL32(00000000), ref: 00903E6B

Strings

\, xrefs: 00903D77
:, xrefs: 00903D82
\??\%s, xrefs: 00903D5B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: ab57eeba03dcb80ea0618e1ffc7af44b8fa7c57f53f42e97e134d38eafc0e716
Instruction ID: e1f1b64db6ea0abd1bdc1bbdf7d4f924b4a89c921c4103ce60526cc4ec6f83a7
Opcode Fuzzy Hash: ab57eeba03dcb80ea0618e1ffc7af44b8fa7c57f53f42e97e134d38eafc0e716
Instruction Fuzzy Hash: 2B31B2B1914209ABDB21DBA4DC49FEF37BCEF88700F1081B6F519D61A0EB7497458B24

Function 008FE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008FE6B4

Part of subcall function 008AE551: timeGetTime.WINMM(?,?,008FE6D4), ref: 008AE555

Sleep.KERNEL32(0000000A), ref: 008FE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 008FE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008FE727
SetActiveWindow.USER32 ref: 008FE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008FE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 008FE773
Sleep.KERNEL32(000000FA), ref: 008FE77E
IsWindow.USER32 ref: 008FE78A
EndDialog.USER32(00000000), ref: 008FE79B

Strings

BUTTON, xrefs: 008FE719

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 135f77061f52dc9c8db790df048fa86dc6684220b0ce587116f2ad038dd8b49e
Instruction ID: fe919c4abdee0798c3b4fc176df5d214b3a1b87d39d1ead54f69cf11074cb547
Opcode Fuzzy Hash: 135f77061f52dc9c8db790df048fa86dc6684220b0ce587116f2ad038dd8b49e
Instruction Fuzzy Hash: 232165B022860DAFEB205F75EC8DE3D3B69F754749B10042AF612C1171DBB59C11AB25

Function 008FE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008FEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008FEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008FEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008FEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008FEAA7

Strings

open , xrefs: 008FEA0C
play PlayMe wait, xrefs: 008FEA91
play PlayMe, xrefs: 008FEAA2
close PlayMe, xrefs: 008FEA6E, 008FEA9B
status PlayMe mode, xrefs: 008FEA58
alias PlayMe, xrefs: 008FEA36

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: cfa9a451a30f5f62a4dbccee06ad5d5686b8ff69503288a749b4f8b8f11354af
Instruction ID: bc8d6cc179887939fc352e1af5cb11c44d0df0b58daadc5f69ca363dbfb0676e
Opcode Fuzzy Hash: cfa9a451a30f5f62a4dbccee06ad5d5686b8ff69503288a749b4f8b8f11354af
Instruction Fuzzy Hash: EC118F61A9022979DB20F7A6DC5ADFF6A7CFBE1F44F440429B901E20E0EA700909C6B1

Function 008F9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008FA012
SetKeyboardState.USER32(?), ref: 008FA07D
GetAsyncKeyState.USER32(000000A0), ref: 008FA09D
GetKeyState.USER32(000000A0), ref: 008FA0B4
GetAsyncKeyState.USER32(000000A1), ref: 008FA0E3
GetKeyState.USER32(000000A1), ref: 008FA0F4
GetAsyncKeyState.USER32(00000011), ref: 008FA120
GetKeyState.USER32(00000011), ref: 008FA12E
GetAsyncKeyState.USER32(00000012), ref: 008FA157
GetKeyState.USER32(00000012), ref: 008FA165
GetAsyncKeyState.USER32(0000005B), ref: 008FA18E
GetKeyState.USER32(0000005B), ref: 008FA19C

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 57478b92f1f8597ecde9bf8c969b6dc9e113867efa8918b9177bc485cfb34eea
Instruction ID: b314b1c41ef38e0f061d82c72f37d6e85c354dc8714cadbbac554eacf9554a41
Opcode Fuzzy Hash: 57478b92f1f8597ecde9bf8c969b6dc9e113867efa8918b9177bc485cfb34eea
Instruction Fuzzy Hash: 5551D96090478C29FB39DB7484147FABFB4EF12390F088599D6C6D71C2DA64AA8CC763

Function 008F5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008F5CE2
GetWindowRect.USER32(00000000,?), ref: 008F5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008F5D59
GetDlgItem.USER32(?,00000002), ref: 008F5D69
GetWindowRect.USER32(00000000,?), ref: 008F5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008F5DCF
GetDlgItem.USER32(?,000003E9), ref: 008F5DDD
GetWindowRect.USER32(00000000,?), ref: 008F5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008F5E31
GetDlgItem.USER32(?,000003EA), ref: 008F5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008F5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 008F5E67

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e62a5cde89405bc482db469322debf5a10c7deada663124a92866e1e6ef54110
Instruction ID: 33f896137c4551927902fc8b25d21b8465e75216bad49ea46c28bce940149f4d
Opcode Fuzzy Hash: e62a5cde89405bc482db469322debf5a10c7deada663124a92866e1e6ef54110
Instruction Fuzzy Hash: 2951FEB1A10609AFDF18DF68DD89AAEBBB9FB48300F148129F615E6690D7709E05CB50

Function 008A8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008A8BE8,?,00000000,?,?,?,?,008A8BBA,00000000,?), ref: 008A8FC5

DestroyWindow.USER32(?), ref: 008A8C81
KillTimer.USER32(00000000,?,?,?,?,008A8BBA,00000000,?), ref: 008A8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 008E6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008A8BBA,00000000,?), ref: 008E69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008A8BBA,00000000,?), ref: 008E69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008A8BBA,00000000), ref: 008E69D4
DeleteObject.GDI32(00000000), ref: 008E69E6

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fd3fae47b4e33df176ca04a2a60d1db0f26da12034d6ce59e798a7bf1ed8e893
Instruction ID: 1025f6fa6bf773cd0392724bbd0447d793e8ef8d3ea4b4846ce15a0b0caaa7a9
Opcode Fuzzy Hash: fd3fae47b4e33df176ca04a2a60d1db0f26da12034d6ce59e798a7bf1ed8e893
Instruction Fuzzy Hash: 4361DB30416640DFEB359F19D948B29BBF1FB52326F18452CE042DB960CB71ACA1EFA0

Function 008A9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 008A9944: GetWindowLongW.USER32(?,000000EB), ref: 008A9952

GetSysColor.USER32(0000000F), ref: 008A9862

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3261611dc767e740a882813f35cdd127847cd6b4e873f0ed8149838aa635c0ea
Instruction ID: b0525c8b400e36eeaff09570d5801ea9af767bb18b3dc8a5f189e5089fa8bc4b
Opcode Fuzzy Hash: 3261611dc767e740a882813f35cdd127847cd6b4e873f0ed8149838aa635c0ea
Instruction Fuzzy Hash: C8418E7110C644AAEB305F389C85BB93B65FB07320F144655FAE2C71E2C6799C42EB11

Function 008F96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,008DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 008F9717
LoadStringW.USER32(00000000,?,008DF7F8,00000001), ref: 008F9720

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,008DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 008F9742
LoadStringW.USER32(00000000,?,008DF7F8,00000001), ref: 008F9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 008F9866

Strings

Line %d (File "%s"):, xrefs: 008F978F
Line %d:, xrefs: 008F97A0
Error: , xrefs: 008F981D
^ ERROR, xrefs: 008F97FB
%s (%d) : ==> %s: %s %s, xrefs: 008F984A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 858b57cbca155b200a9f5cf98ccf212b32f62eaa1bb02762fa183bd8f3a9c338
Instruction ID: 458ee819098eab01443b13b9d5dfb6fcb97f8abb783822d13e276e0d95063b65
Opcode Fuzzy Hash: 858b57cbca155b200a9f5cf98ccf212b32f62eaa1bb02762fa183bd8f3a9c338
Instruction Fuzzy Hash: B9413A72804209AACF04FBE8DD46EEE7778FF55344F540029F605B2192EB256F48DB62

Function 008F06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008F07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008F07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008F07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008F0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 008F082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008F0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008F083C

Strings

\CLSID, xrefs: 008F0724
\IPC$, xrefs: 008F0784
SOFTWARE\Classes\, xrefs: 008F070E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: bcf731b97c28837902d36f6cc231c3feafceb3f00c7d1f2909df871ab892b52f
Instruction ID: 160c31724674f7f70eedfd3633cf0b95242b32a3e19341d61f2b422c31200d2d
Opcode Fuzzy Hash: bcf731b97c28837902d36f6cc231c3feafceb3f00c7d1f2909df871ab892b52f
Instruction Fuzzy Hash: BD410772C10229AFCF25EBA8DC958EEB778FF44350F494169E911A3161EB309E04CF91

Function 00923F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0092403B
CreateCompatibleDC.GDI32(00000000), ref: 00924042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00924055
SelectObject.GDI32(00000000,00000000), ref: 0092405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00924068
DeleteDC.GDI32(00000000), ref: 00924072
GetWindowLongW.USER32(?,000000EC), ref: 0092407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00924092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0092409E

Strings

static, xrefs: 00923FD3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 48124a8134524f9ef35f7a0b6765b551831f13e1877011a5fbd9ff291863bec7
Instruction ID: 24f408aa00858a59156bc467bdbab2d17d472e505f99e964a31366d6bd597acd
Opcode Fuzzy Hash: 48124a8134524f9ef35f7a0b6765b551831f13e1877011a5fbd9ff291863bec7
Instruction Fuzzy Hash: C2317A72555225BBDF219FA4EC09FDE3B68EF0D724F100210FA18A61A0C775D861EB94

Function 00913C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00913C5C
CoInitialize.OLE32(00000000), ref: 00913C8A
CoUninitialize.OLE32 ref: 00913C94
_wcslen.LIBCMT ref: 00913D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00913DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00913ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00913F0E
CoGetObject.OLE32(?,00000000,0092FB98,?), ref: 00913F2D
SetErrorMode.KERNEL32(00000000), ref: 00913F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00913FC4
VariantClear.OLEAUT32(?), ref: 00913FD8

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: b700c01d7a3421195cfb03cd59f32837087286866abea872a1ee5c684d301413
Instruction ID: 9ca5add3afe135ba0377b621021bd2d0c848c6adb2a335b38f1c734e27f3e761
Opcode Fuzzy Hash: b700c01d7a3421195cfb03cd59f32837087286866abea872a1ee5c684d301413
Instruction Fuzzy Hash: CBC132716083099FD710DF28C88496ABBF9FF89744F04891DF98A9B251D730EE46CB92

Function 00907A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00907AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00907B8F
SHGetDesktopFolder.SHELL32(?), ref: 00907BA3
CoCreateInstance.OLE32(0092FD08,00000000,00000001,00956E6C,?), ref: 00907BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00907C74
CoTaskMemFree.OLE32(?,?), ref: 00907CCC
SHBrowseForFolderW.SHELL32(?), ref: 00907D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00907D7A
CoTaskMemFree.OLE32(00000000), ref: 00907D81
CoTaskMemFree.OLE32(00000000), ref: 00907DD6
CoUninitialize.OLE32 ref: 00907DDC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: b2785bac8659fd03a8f16e8cea688fd7f6c6887316a799bedad5e7f60615db99
Instruction ID: 43005c5a5adc49e86153d69b9b7d094714d01348d74c6d89661f19a679750bdb
Opcode Fuzzy Hash: b2785bac8659fd03a8f16e8cea688fd7f6c6887316a799bedad5e7f60615db99
Instruction Fuzzy Hash: 25C1F875A04119AFDB14DFA8C884DAEBBB9FF48314B148499E819DB3A1D730EE45CB90

Function 0092541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00925504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00925515
CharNextW.USER32(00000158), ref: 00925544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00925585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0092559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009255AC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: faa4391109080b7558ed2ef5dca9144bfd11328bdeeb47c8d8e4d15de0f2c342
Instruction ID: 8912759dd538191e415b500e1338f5f0942b73f6c4e2301283d948741f403d02
Opcode Fuzzy Hash: faa4391109080b7558ed2ef5dca9144bfd11328bdeeb47c8d8e4d15de0f2c342
Instruction Fuzzy Hash: 2E61DF74904629EFDF209F94EC84EFE7BB9EF09320F118005F925A72A4C7748A81DB60

Function 008EFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008EFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 008EFB08
VariantInit.OLEAUT32(?), ref: 008EFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 008EFB3A
VariantCopy.OLEAUT32(?,?), ref: 008EFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 008EFBA1
VariantClear.OLEAUT32(?), ref: 008EFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 008EFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008EFBCC
VariantClear.OLEAUT32(?), ref: 008EFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008EFBE9

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bdd00370c82f0139871c43b7fa7c4053d07beff8500fd2eb70fb327bb88ce269
Instruction ID: b452d33075a5a4fbf61f7b713ae16623375bc25ccc1120cc27663b9ef0d6de99
Opcode Fuzzy Hash: bdd00370c82f0139871c43b7fa7c4053d07beff8500fd2eb70fb327bb88ce269
Instruction Fuzzy Hash: 9E417275A14219AFCF10EF69CC549AEBBB9FF48354F008065E905E7261CB30A946CF91

Function 008F9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008F9CA1
GetAsyncKeyState.USER32(000000A0), ref: 008F9D22
GetKeyState.USER32(000000A0), ref: 008F9D3D
GetAsyncKeyState.USER32(000000A1), ref: 008F9D57
GetKeyState.USER32(000000A1), ref: 008F9D6C
GetAsyncKeyState.USER32(00000011), ref: 008F9D84
GetKeyState.USER32(00000011), ref: 008F9D96
GetAsyncKeyState.USER32(00000012), ref: 008F9DAE
GetKeyState.USER32(00000012), ref: 008F9DC0
GetAsyncKeyState.USER32(0000005B), ref: 008F9DD8
GetKeyState.USER32(0000005B), ref: 008F9DEA

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4b054d7d19ed49f9d4ddc52fe5ae3eeba3664fe3a66c46d198bbb9c1aa914c3a
Instruction ID: b1e31a8254a4f3b41dbfc224c4d168a37a53453aa3636a5e70a652ae0490932e
Opcode Fuzzy Hash: 4b054d7d19ed49f9d4ddc52fe5ae3eeba3664fe3a66c46d198bbb9c1aa914c3a
Instruction Fuzzy Hash: F2419674508BCE6DFF31967488047B5BEA0FF12344F14805ADBC6D66C2DBA599C8C7A2

Function 0091055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009105BC
inet_addr.WSOCK32(?), ref: 0091061C
gethostbyname.WSOCK32(?), ref: 00910628
IcmpCreateFile.IPHLPAPI ref: 00910636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009106C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009106E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009107B9
WSACleanup.WSOCK32 ref: 009107BF

Strings

Ping, xrefs: 00910676

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 894ff491b4dbca1f4e052a3e88b59142dc8fdbaba2ced5cc3b390f7568a3b586
Instruction ID: 345ba1aceec5a4ce611e5b621697dcb8c2c9dfa9aac40d1bc9bc4c481d199239
Opcode Fuzzy Hash: 894ff491b4dbca1f4e052a3e88b59142dc8fdbaba2ced5cc3b390f7568a3b586
Instruction Fuzzy Hash: 7F918E756082019FD720DF19C889B5ABBE4FF84358F1485A9F4698B6A2C771EDC1CF81

Function 00918CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00918CF3

Part of subcall function 008F8E54: _wcslen.LIBCMT ref: 008F8E77

_wcslen.LIBCMT ref: 00918D4E
_wcslen.LIBCMT ref: 00918D9C
_wcslen.LIBCMT ref: 00918DDC
_wcslen.LIBCMT ref: 00918E6E

Strings

cdecl, xrefs: 00918D48, 00918D4D
stdcall, xrefs: 00918DD6, 00918DDB
winapi, xrefs: 00918D96, 00918D9B
none, xrefs: 00918E65, 00918E6A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 91c19d3c59f3ba85f6f8c9f1ed9d6693aa5efb25998cd23bf37d69d48f0c2d63
Instruction ID: 91599653dd77f16e83e7b23b3854aa2463c8aa8f8bcceb05fb9b9c001d87ca71
Opcode Fuzzy Hash: 91c19d3c59f3ba85f6f8c9f1ed9d6693aa5efb25998cd23bf37d69d48f0c2d63
Instruction Fuzzy Hash: FF519F31A0011A9ACF24EF6CC8409FFB7A9FF64324B244629E826E72C0DB30DD80D791

Function 0091372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00913774
CoUninitialize.OLE32 ref: 0091377F
CoCreateInstance.OLE32(?,00000000,00000017,0092FB78,?), ref: 009137D9
IIDFromString.OLE32(?,?), ref: 0091384C
VariantInit.OLEAUT32(?), ref: 009138E4
VariantClear.OLEAUT32(?), ref: 00913936

Strings

Failed to create object, xrefs: 009137E4, 0091389A
Invalid parameter, xrefs: 00913865
NULL Pointer assignment, xrefs: 0091381E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f2bea62d94136f9643a751e14201139544a5ad982d1a8a9e2f94135077fb78d3
Instruction ID: e4a4a84fc020c050fcb10c26e7a06c03e1f1a7bf9a8f811fe1184d6485d974b2
Opcode Fuzzy Hash: f2bea62d94136f9643a751e14201139544a5ad982d1a8a9e2f94135077fb78d3
Instruction Fuzzy Hash: B961A170708305AFD710DF64C844BAABBF8EF89714F108859F98597291D770EE88CB92

Function 00903388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009033CF

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009033F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00903522
Line %d (File "%s"):, xrefs: 00903443, 0090345C
^ ERROR , xrefs: 0090349E
Incorrect parameters to object property !, xrefs: 009034AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00903504
Error: , xrefs: 009034D1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 4bfd5760f6f2dd5ca4b42fb63ee321004572f9ad86380c175dae583cc2038986
Instruction ID: 54889578e06040b6f6887671e7ce8d2f4d4a07e67785adb41c85dbd093ad9928
Opcode Fuzzy Hash: 4bfd5760f6f2dd5ca4b42fb63ee321004572f9ad86380c175dae583cc2038986
Instruction Fuzzy Hash: 9651A071900209AADF15FBA8DD42EEEB778FF04344F184169F505B21A2EB712F58DB62

Function 008FB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008FB5FC
_wcslen.LIBCMT ref: 008FB608
_wcslen.LIBCMT ref: 008FB64D
_wcslen.LIBCMT ref: 008FB68C
_wcslen.LIBCMT ref: 008FB6C7

Strings

APPEND, xrefs: 008FB6C1, 008FB6C6
KEYS, xrefs: 008FB647, 008FB64C
REMOVE, xrefs: 008FB602, 008FB607
EXISTS, xrefs: 008FB686, 008FB68B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 1bd92da370f89fee3559ed51a2b56f8bece23703fb3d72b112fa844b1e1cfbd8
Instruction ID: 24f77bf97222ce75ad9c0643cdf2162781983005022172682c0fa499bec65fab
Opcode Fuzzy Hash: 1bd92da370f89fee3559ed51a2b56f8bece23703fb3d72b112fa844b1e1cfbd8
Instruction Fuzzy Hash: CA41B632A0012A9BCB20AF7DCC915BE7BA5FF74758B254129E661DB284F739CD81C790

Function 00905393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009053A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00905416
GetLastError.KERNEL32 ref: 00905420
SetErrorMode.KERNEL32(00000000,READY), ref: 009054A7

Strings

READY, xrefs: 00905460, 00905468
READONLY, xrefs: 00905452
UNKNOWN, xrefs: 00905444
NOTREADY, xrefs: 0090544B
INVALID, xrefs: 00905459

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: da4c3bfed5a711c23c5e76e99d1afc5ee294804adc39cd6f49604244e0f9ee0a
Instruction ID: 6be1a06c143a1327fdc8bfd9b97c4f790a028ee560713a614ad3d098687267b9
Opcode Fuzzy Hash: da4c3bfed5a711c23c5e76e99d1afc5ee294804adc39cd6f49604244e0f9ee0a
Instruction Fuzzy Hash: E3319D75A006059FCB10DF69C885AEABBB8FF04305F598469E805CB2E2DB70DD86CF91

Function 00923C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00923C79
SetMenu.USER32(?,00000000), ref: 00923C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00923D10
IsMenu.USER32(?), ref: 00923D24
CreatePopupMenu.USER32 ref: 00923D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00923D5B
DrawMenuBar.USER32 ref: 00923D63

Strings

F, xrefs: 00923D4E
0, xrefs: 00923C54

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 1ec1e780b395112e04b46e0ef9b523cac8e31a661f2978ddfbc77917528fe314
Instruction ID: 297245c810a2550667de25f0b16fb920cdb2725605654a7f8065c9a248c91587
Opcode Fuzzy Hash: 1ec1e780b395112e04b46e0ef9b523cac8e31a661f2978ddfbc77917528fe314
Instruction Fuzzy Hash: D04189B4A15219AFDB24CF64E844EAA7BB9FF49310F144028F946A73A0D774EA10DF90

Function 008F1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 008F1F64
GetDlgCtrlID.USER32 ref: 008F1F6F
GetParent.USER32 ref: 008F1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 008F1F8E
GetDlgCtrlID.USER32(?), ref: 008F1F97
GetParent.USER32(?), ref: 008F1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 008F1FAE

Strings

ListBox, xrefs: 008F1F21
ComboBox, xrefs: 008F1EEC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0dcd71f96a398b196dfd792797e8f57e7145e3d57edfc293e99edd2945dda3c7
Instruction ID: bcdbbad428739d3f99d46839d219dc7d38256b49c94c77b8be091eecdcd906c9
Opcode Fuzzy Hash: 0dcd71f96a398b196dfd792797e8f57e7145e3d57edfc293e99edd2945dda3c7
Instruction Fuzzy Hash: C421C270A00218BBCF14EFA5DC99DFEBBB8FF05314B000119FA61A72A1CB345909DB60

Function 008F1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 008F2043
GetDlgCtrlID.USER32 ref: 008F204E
GetParent.USER32 ref: 008F206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 008F206D
GetDlgCtrlID.USER32(?), ref: 008F2076
GetParent.USER32(?), ref: 008F208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 008F208D

Strings

ListBox, xrefs: 008F2002
ComboBox, xrefs: 008F1FCD

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8a02786bcff3d243a1cd3e50fbda5d8a7a25077cca505149c77265c93d8306f4
Instruction ID: 086438a16164c66f59701a31974f0019e8bfcbfb783499fcadfcbe8407f14ae4
Opcode Fuzzy Hash: 8a02786bcff3d243a1cd3e50fbda5d8a7a25077cca505149c77265c93d8306f4
Instruction Fuzzy Hash: 8E2192B5900218BBCF10AFB5CC45EFEBBB8FF45344F004015FA51A72A1DA755919DB61

Function 00923A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00923A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00923AA0
GetWindowLongW.USER32(?,000000F0), ref: 00923AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00923AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00923B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00923BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00923BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00923BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00923BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00923C13

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 112030f2a30385aef083143fe30366fb2e6a1b71ddf1793f9ba1b29f2ee791d9
Instruction ID: dd7d7ed9a464abb01b5636b75773747ee8c045ab8bb8e3202673613bce8d409a
Opcode Fuzzy Hash: 112030f2a30385aef083143fe30366fb2e6a1b71ddf1793f9ba1b29f2ee791d9
Instruction Fuzzy Hash: 38617875A00218AFDB10DFA8DC81EEE77B8EB49700F14419AFA55E72A1C774AE41DB50

Function 008FB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008FB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB165
GetWindowThreadProcessId.USER32(00000000), ref: 008FB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 008FB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008FA1E1,?,00000001), ref: 008FB21D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 123f4c609440fc59c4bb001e71135dd8b0430e132d51f38dff0bf5448d9d6c24
Instruction ID: 402d0524fd1022cd08b92184510009b5ed05eb83b42b7c2f801a7a72ddd059fd
Opcode Fuzzy Hash: 123f4c609440fc59c4bb001e71135dd8b0430e132d51f38dff0bf5448d9d6c24
Instruction Fuzzy Hash: AF31ADB1528208BFEB209F74DC48BBD7BA9FB61391F108009FB01D6190D7B49E459FA4

Function 008C2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008C2C94

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008C2CA0
_free.LIBCMT ref: 008C2CAB
_free.LIBCMT ref: 008C2CB6
_free.LIBCMT ref: 008C2CC1
_free.LIBCMT ref: 008C2CCC
_free.LIBCMT ref: 008C2CD7
_free.LIBCMT ref: 008C2CE2
_free.LIBCMT ref: 008C2CED
_free.LIBCMT ref: 008C2CFB

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a914d3e7c6fe58741ccb58ec5973b97af373b4062e703c5bf111f1af9fd8cdaa
Instruction ID: 44efd02d7a48ebfda3c8ba9c484c4a5f93dccae19e39a68b900f73ae2b80d4d5
Opcode Fuzzy Hash: a914d3e7c6fe58741ccb58ec5973b97af373b4062e703c5bf111f1af9fd8cdaa
Instruction Fuzzy Hash: 1911A476100108AFCB02EF58D882EDD3FB5FF05350F4144A9FA489F2A2DA31EE549B91

Function 00907DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00907FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00907FC1
GetFileAttributesW.KERNEL32(?), ref: 00907FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00908005
SetCurrentDirectoryW.KERNEL32(?), ref: 00908017
SetCurrentDirectoryW.KERNEL32(?), ref: 00908060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009080B0

Strings

*.*, xrefs: 00908066

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 52bf7d7ed4a8ca194296bdcaf3355c54a3fcf8e6d7e15eb6bf1b952e5f461206
Instruction ID: a47f3ff0437cfa1a50e4d3cd6a9bb8835ba6c9fa3da0cdff0a7b2751670fbd84
Opcode Fuzzy Hash: 52bf7d7ed4a8ca194296bdcaf3355c54a3fcf8e6d7e15eb6bf1b952e5f461206
Instruction Fuzzy Hash: 188171729082459FCB20EF54C4449AEF7E8FF85320F544C6AF885D72A1EB35ED458B52

Function 00895BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00895C7A

Part of subcall function 00895D0A: GetClientRect.USER32(?,?), ref: 00895D30
Part of subcall function 00895D0A: GetWindowRect.USER32(?,?), ref: 00895D71
Part of subcall function 00895D0A: ScreenToClient.USER32(?,?), ref: 00895D99

GetDC.USER32 ref: 008D46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008D4708
SelectObject.GDI32(00000000,00000000), ref: 008D4716
SelectObject.GDI32(00000000,00000000), ref: 008D472B
ReleaseDC.USER32(?,00000000), ref: 008D4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008D47C4

Strings

U, xrefs: 008D4693

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 942bf70a074cb66d8ac384a4d4cef6154cb2e1351e0ad48432ad3a6d264a9c55
Instruction ID: bdb0eb8e32ee6b4b970927fe0846d82af1f0c5fb693089a10d533f37a831c259
Opcode Fuzzy Hash: 942bf70a074cb66d8ac384a4d4cef6154cb2e1351e0ad48432ad3a6d264a9c55
Instruction Fuzzy Hash: 3171E231404209DFCF219F64C984ABA7BB5FF4A368F18536AE956DA2A6C731CC41DF50

Function 0090359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009035E4

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

LoadStringW.USER32(00962390,?,00000FFF,?), ref: 0090360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00903742
Line %d (File "%s"):, xrefs: 0090366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00903724
Error: , xrefs: 009036EF
^ ERROR, xrefs: 009036C9

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 15e7ebc9e018f61de32bee3dbcd4751e5a2ddfacc25ff0c3a8e64dbc29463289
Instruction ID: d60ba9a409a506c0ef6bcd4fcbf5fe3e799f997b87ced9881b5e3e224345908a
Opcode Fuzzy Hash: 15e7ebc9e018f61de32bee3dbcd4751e5a2ddfacc25ff0c3a8e64dbc29463289
Instruction Fuzzy Hash: F0516F71800209BADF15FBA4DC42EEEBB38FF54304F084129F505B21A1EB711B99DBA2

Function 00928B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

Part of subcall function 008A912D: GetCursorPos.USER32(?), ref: 008A9141
Part of subcall function 008A912D: ScreenToClient.USER32(00000000,?), ref: 008A915E
Part of subcall function 008A912D: GetAsyncKeyState.USER32(00000001), ref: 008A9183
Part of subcall function 008A912D: GetAsyncKeyState.USER32(00000002), ref: 008A919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00928B6B
ImageList_EndDrag.COMCTL32 ref: 00928B71
ReleaseCapture.USER32 ref: 00928B77
SetWindowTextW.USER32(?,00000000), ref: 00928C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00928C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00928CFF

Strings

@GUI_DROPID, xrefs: 00928C51
@GUI_DRAGFILE, xrefs: 00928C9A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: fe38ccf30a1cd956a23b05ece54477a01f1e5556c7333e1b8359127c459a1f29
Instruction ID: 64cc4a536cb2ce79d394cb19ddef21e2aa93fbe1dc46f5217adcd41801b497e6
Opcode Fuzzy Hash: fe38ccf30a1cd956a23b05ece54477a01f1e5556c7333e1b8359127c459a1f29
Instruction Fuzzy Hash: B7518C71109310AFDB14EF14EC56FAA77E4FB88714F04062DF996A72A1DB719904CBA2

Function 0090C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0090C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0090C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0090C2CA
GetLastError.KERNEL32 ref: 0090C322
SetEvent.KERNEL32(?), ref: 0090C336
InternetCloseHandle.WININET(00000000), ref: 0090C341

Strings

, xrefs: 0090C2BB

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2bddb202dfc7735a62b60d5f7c3f7b5e446e24cf17321124b9196e66395d708f
Instruction ID: 02b86dd8b438f6edf2629612205e96fd490e87981a5fb455e718ea514ec2647f
Opcode Fuzzy Hash: 2bddb202dfc7735a62b60d5f7c3f7b5e446e24cf17321124b9196e66395d708f
Instruction Fuzzy Hash: C5314AF1614608AFD7219FA48C88AAF7BFCEB49744F14861EF446D2290DB34DD05ABA1

Function 008F989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008D3AAF,?,?,Bad directive syntax error,0092CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008F98BC
LoadStringW.USER32(00000000,?,008D3AAF,?), ref: 008F98C3

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008F9987

Strings

., xrefs: 008F996D
Error: , xrefs: 008F9955
Line %d (File "%s"):, xrefs: 008F992D
Line %d:, xrefs: 008F9912
%s (%d) : ==> %s.: %s %s, xrefs: 008F98F1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b6b44f97512124582d1a5c00aa95c0f07861888ed38bb5d343d073a1fb342c91
Instruction ID: d76ce5f9376e9eee21f24cd39e9b140ff04cf3adce5ffa04eaee748110f59839
Opcode Fuzzy Hash: b6b44f97512124582d1a5c00aa95c0f07861888ed38bb5d343d073a1fb342c91
Instruction Fuzzy Hash: 8121943194421EABDF11EFA4CC06EFE7739FF14305F084469F615A20A2DB719618DB61

Function 008F209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008F20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008F20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008F214D

Strings

list, xrefs: 008F212F
details, xrefs: 008F20FB
largeicons, xrefs: 008F20E1
smallicons, xrefs: 008F2115
SHELLDLL_DefView, xrefs: 008F20CC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 971ce1bd5dec5a5b85a88bc6178152e59786cd9d99f12cb1911a13ed6eb05d96
Instruction ID: ea764708651f3d395dbd81eaffa746ee7e3504ad26583b7802dea9ae825babb8
Opcode Fuzzy Hash: 971ce1bd5dec5a5b85a88bc6178152e59786cd9d99f12cb1911a13ed6eb05d96
Instruction Fuzzy Hash: 4111367628870FB9FA116234DC1BDFA739CEF05329B211116FB04E40E2FE61B88A5619

Function 008C8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1930f311cb1090ef4d533f18cc5931a8f9cd6d04895b64e8bf03e1f3b625238f
Instruction ID: 1907beb348b25ef5941edf6eda437cdbcdc226532601e5b0e77c2d7759c6e0d4
Opcode Fuzzy Hash: 1930f311cb1090ef4d533f18cc5931a8f9cd6d04895b64e8bf03e1f3b625238f
Instruction Fuzzy Hash: 92C1BB74A04649AFDB219FA8D885FADBBB0FF49310F08409DE955E7392CB70D941CB62

Function 008CCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 008CCEB7
_free.LIBCMT ref: 008CCF22
_free.LIBCMT ref: 008CCF48
_free.LIBCMT ref: 008CCF71
_free.LIBCMT ref: 008CCFA9
_free.LIBCMT ref: 008CCFDA
_free.LIBCMT ref: 008CD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 008CD09C
_free.LIBCMT ref: 008CD0B5

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4f0d4df43ed8888378c2c6e248e2ee84bd777a56e5305681e2c28ff6198aa927
Instruction ID: 09ae8f5e6e12c0cffaca07cbfbb183be140ef27ec2888948a8b0c45a93997284
Opcode Fuzzy Hash: 4f0d4df43ed8888378c2c6e248e2ee84bd777a56e5305681e2c28ff6198aa927
Instruction Fuzzy Hash: 0D613571918304AFDB21AFB89892F6A7BB9FF05320F04426DF948D7282DBB1DD019791

Function 008A8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008E6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008E68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008E68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008E68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008E68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008A8874,00000000,00000000,00000000,000000FF,00000000), ref: 008E6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008E691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008A8874,00000000,00000000,00000000,000000FF,00000000), ref: 008E692D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 621dbe1bed8f60659c4d85726d7f07864ad06983c8f652ff12e84fface5be05d
Instruction ID: 118792c4054014780f3349a2f58e24f52b7674ed9a2464e9ce4351a7b11bd045
Opcode Fuzzy Hash: 621dbe1bed8f60659c4d85726d7f07864ad06983c8f652ff12e84fface5be05d
Instruction Fuzzy Hash: E0519AB0600209EFEB20DF25CC55BAA7BB5FB59360F104528F902D76A0EB70E991DB60

Function 0090C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0090C182
GetLastError.KERNEL32 ref: 0090C195
SetEvent.KERNEL32(?), ref: 0090C1A9

Part of subcall function 0090C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0090C272
Part of subcall function 0090C253: GetLastError.KERNEL32 ref: 0090C322
Part of subcall function 0090C253: SetEvent.KERNEL32(?), ref: 0090C336
Part of subcall function 0090C253: InternetCloseHandle.WININET(00000000), ref: 0090C341

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 800eb66ee49e1a278521d64c325ba666ef13794b7634685c890e4e91f9440f29
Instruction ID: 04e359c88821a1f2d982c69d0ab532026ba9cc499c349c10dd897795e86f13a8
Opcode Fuzzy Hash: 800eb66ee49e1a278521d64c325ba666ef13794b7634685c890e4e91f9440f29
Instruction Fuzzy Hash: 5C318EB1604601FFDB219FA9DD44A6ABBFDFF58310B00461DF96682A50DB30E815ABA0

Function 008F25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008F3A57
Part of subcall function 008F3A3D: GetCurrentThreadId.KERNEL32 ref: 008F3A5E
Part of subcall function 008F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008F25B3), ref: 008F3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008F25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008F25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008F25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008F25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008F2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 008F2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 008F260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008F2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 008F2627

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e95d4c387bd40c9cdca2bd437a89292d89c5aa85cdda6888b2585fed9babbd29
Instruction ID: f77a267d32ef716d258bace6ee74fdc6293bbbde877ef7c322e3478f8e2319e8
Opcode Fuzzy Hash: e95d4c387bd40c9cdca2bd437a89292d89c5aa85cdda6888b2585fed9babbd29
Instruction Fuzzy Hash: BD01D870398624BBFB2067799C8AF693F59EF4EB11F100001F314EE0D1C9E214459A6A

Function 008F1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,008F1449,?,?,00000000), ref: 008F180C
HeapAlloc.KERNEL32(00000000,?,008F1449,?,?,00000000), ref: 008F1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008F1449,?,?,00000000), ref: 008F1828
GetCurrentProcess.KERNEL32(?,00000000,?,008F1449,?,?,00000000), ref: 008F1830
DuplicateHandle.KERNEL32(00000000,?,008F1449,?,?,00000000), ref: 008F1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008F1449,?,?,00000000), ref: 008F1843
GetCurrentProcess.KERNEL32(008F1449,00000000,?,008F1449,?,?,00000000), ref: 008F184B
DuplicateHandle.KERNEL32(00000000,?,008F1449,?,?,00000000), ref: 008F184E
CreateThread.KERNEL32(00000000,00000000,008F1874,00000000,00000000,00000000), ref: 008F1868

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 99af5b302d9eb31b970c33e62164138d4c1b8c2d8ab357b29a8a666af843d74a
Instruction ID: 03fbc42c9d77d270aef798b8138161c2192076bc61d1027d5f973eb94812426e
Opcode Fuzzy Hash: 99af5b302d9eb31b970c33e62164138d4c1b8c2d8ab357b29a8a666af843d74a
Instruction Fuzzy Hash: 6801BFB5654308BFE720AB75DC4EF6B3B6CEB89B11F104411FA05DB192C6749815DB60

Function 0091A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 008FD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 008FD501
Part of subcall function 008FD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 008FD50F
Part of subcall function 008FD4DC: CloseHandle.KERNELBASE(00000000), ref: 008FD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0091A16D
GetLastError.KERNEL32 ref: 0091A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0091A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0091A268
GetLastError.KERNEL32(00000000), ref: 0091A273
CloseHandle.KERNEL32(00000000), ref: 0091A2C4

Strings

SeDebugPrivilege, xrefs: 0091A18F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9df9002dce82d186b21ce223c2c325d5fb4c4fcec62bb5b134246ae355841230
Instruction ID: 883c526dfcb28e557081e0bad2f8abaae1f50d9bf9dfc8ed8e85190b28f749e2
Opcode Fuzzy Hash: 9df9002dce82d186b21ce223c2c325d5fb4c4fcec62bb5b134246ae355841230
Instruction Fuzzy Hash: 9661B271309241AFD720DF18C494F69BBE5AF44318F58848CE4668B7A3C776ED85CB92

Function 00923886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00923925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0092393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00923954
_wcslen.LIBCMT ref: 00923999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009239C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009239F4

Strings

SysListView32, xrefs: 009238F7

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 7a69ffa917d2c099f61d12b6a1dfb0ff74a9cf27642926eb2ceb2a37b08417f6
Instruction ID: c24a98d36e7a39e2d7f04e1932bfdb42f53ad40edc2cd799f9a9f4e8a8a6cf2c
Opcode Fuzzy Hash: 7a69ffa917d2c099f61d12b6a1dfb0ff74a9cf27642926eb2ceb2a37b08417f6
Instruction Fuzzy Hash: 1441E371A00229ABEF21DF64DC49BEE7BA9FF48350F104526F948E7281D7759E80CB90

Function 008FBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008FBCFD
IsMenu.USER32(00000000), ref: 008FBD1D
CreatePopupMenu.USER32 ref: 008FBD53
GetMenuItemCount.USER32(014D56B8), ref: 008FBDA4
InsertMenuItemW.USER32(014D56B8,?,00000001,00000030), ref: 008FBDCC

Strings

2, xrefs: 008FBD37
0, xrefs: 008FBCA8

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 987f02535a557b8da7e31a1114d158a99d9c1622bfc19cbcf2622e8261ea4012
Instruction ID: a8bf5a1e54c077571426a5d8c7dda42190721c91f3d3ad9e3e677d636f1f70fd
Opcode Fuzzy Hash: 987f02535a557b8da7e31a1114d158a99d9c1622bfc19cbcf2622e8261ea4012
Instruction Fuzzy Hash: F0518BB0A0420D9BDB20EFB8D884BBEBBF8FF45354F244219E611D7290D7709941CB62

Function 008FC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008FC913

Strings

question, xrefs: 008FC8CC
blank, xrefs: 008FC895
info, xrefs: 008FC8B4
warning, xrefs: 008FC8FC
stop, xrefs: 008FC8E4

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b8b1e625ad6e242cd2821769d9ffc472e5d8f27e83b3c44429fb2d7b49debd01
Instruction ID: 6b310c81f503970b8d07e0269d7988fd40b94b18808822213c162f5437439613
Opcode Fuzzy Hash: b8b1e625ad6e242cd2821769d9ffc472e5d8f27e83b3c44429fb2d7b49debd01
Instruction Fuzzy Hash: 2C11083178930EBAEB009B749D83CBE6B9CFF15359B50102AFA00E6282E7A19F045265

Function 008FDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008FDE42
gethostname.WSOCK32(?,00000100), ref: 008FDE5C
gethostbyname.WSOCK32(?), ref: 008FDE69
inet_ntoa.WSOCK32(?), ref: 008FDEAB
_strcat.LIBCMT ref: 008FDEB9
WSACleanup.WSOCK32 ref: 008FDEDE

Strings

0.0.0.0, xrefs: 008FDE87

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 885028d318b51d094fd61c7fecff11db98a5ab58978ae895529f35818819b9a8
Instruction ID: 5682750899a8b46527d3474a1d4530eb0cff5e51abe7764d22b7eab4247d3d00
Opcode Fuzzy Hash: 885028d318b51d094fd61c7fecff11db98a5ab58978ae895529f35818819b9a8
Instruction Fuzzy Hash: 92110671904218ABCB30BB749C0AEEE77ADFF11715F010169F745EA192EF718A819A61

Function 00929F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

GetSystemMetrics.USER32(0000000F), ref: 00929FC7
GetSystemMetrics.USER32(0000000F), ref: 00929FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0092A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0092A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0092A263
ShowWindow.USER32(00000003,00000000), ref: 0092A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0092A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0092A2CA

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a4744126385acaedc1cbd660de00ebbf5750af7875b8ac0b7c1e2df881b6bce5
Instruction ID: bd982f99d6fb5d0886d0a363b1eb66d2d86799d59458584539d51f9b4828ca3e
Opcode Fuzzy Hash: a4744126385acaedc1cbd660de00ebbf5750af7875b8ac0b7c1e2df881b6bce5
Instruction Fuzzy Hash: C1B1EB32604225EFDF14CF68D9847AE3BB6FF44711F088069EC59AB29AD731A940CB61

Function 008FED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008FED2A
_wcslen.LIBCMT ref: 008FED3B
_wcslen.LIBCMT ref: 008FED79
_wcslen.LIBCMT ref: 008FEDAF
_wcslen.LIBCMT ref: 008FEDDF
_wcslen.LIBCMT ref: 008FEDEF
_wcslen.LIBCMT ref: 008FEE2B
_wcslen.LIBCMT ref: 008FEE5A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 5de8fb07c11c1bf597eed7ba070b565e410bac05b79297984b34a80230683c33
Instruction ID: deea6066a7a2490dc106dfba7ae934723f1e1cb5b7524f379c7cc2935fd57940
Opcode Fuzzy Hash: 5de8fb07c11c1bf597eed7ba070b565e410bac05b79297984b34a80230683c33
Instruction Fuzzy Hash: 4D416265C1021C76DB11EBF88C8A9DFB7A8FF45710F508566E618E3222FB34E255C3A6

Function 008AF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008E682C,00000004,00000000,00000000), ref: 008AF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,008E682C,00000004,00000000,00000000), ref: 008EF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008E682C,00000004,00000000,00000000), ref: 008EF454

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b6d0614ff77118a3ac6f6da44f5a0f935faf209b9489ba60468bba30c1b5635a
Instruction ID: b9edc3e684533a956897458bc64c2337372bbf3e848e6df45fb083d060d043ba
Opcode Fuzzy Hash: b6d0614ff77118a3ac6f6da44f5a0f935faf209b9489ba60468bba30c1b5635a
Instruction Fuzzy Hash: 2F411830218680BAE7788B69888876B7F91FB47318F1C443CE387D2E63C631A881DB51

Function 00922D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00922D1B
GetDC.USER32(00000000), ref: 00922D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00922D2E
ReleaseDC.USER32(00000000,00000000), ref: 00922D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00922D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00922D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00925A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00922DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00922DE1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cf999a35aa5e2a1729b1a0c4766e84fd22305935c75f9694703032435f2fe795
Instruction ID: 7df2cdf0a111df0c90be60eb25a8acf81daa08e9199bd1a33d575fb0cc8d0140
Opcode Fuzzy Hash: cf999a35aa5e2a1729b1a0c4766e84fd22305935c75f9694703032435f2fe795
Instruction Fuzzy Hash: 7B317AB2215224BFEB218F50DC8AFEB3BADEF09715F044055FE089A291C6759C51CBA4

Function 008F5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008F5637
_memcmp.LIBVCRUNTIME ref: 008F5659
_memcmp.LIBVCRUNTIME ref: 008F5671
_memcmp.LIBVCRUNTIME ref: 008F5684
_memcmp.LIBVCRUNTIME ref: 008F569E
_memcmp.LIBVCRUNTIME ref: 008F56B1
_memcmp.LIBVCRUNTIME ref: 008F56C9
_memcmp.LIBVCRUNTIME ref: 008F56E4

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: afd0015c3864effba1b3b7138aaf5211446b7d117d1529414c380ebe5c775454
Instruction ID: 587c5781fb5d35efe99cf11b737aa51f0b236b1a89fdb15a928aad88ecbc0fb6
Opcode Fuzzy Hash: afd0015c3864effba1b3b7138aaf5211446b7d117d1529414c380ebe5c775454
Instruction Fuzzy Hash: 62219561644A1D77D654A6349DA6FFA239CFE74388F840030FF15DE785F728ED1081A6

Function 00914FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0091502E, 00915383
Not an Object type, xrefs: 00915007

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b87d6c4582364ebe70d3cbc5816d4c4637ae15930d07061ae9d932d24a574dc1
Instruction ID: 2e9998836d09ea10ee8993069c719fc066fc11af14b400dfe30d59f337850f8d
Opcode Fuzzy Hash: b87d6c4582364ebe70d3cbc5816d4c4637ae15930d07061ae9d932d24a574dc1
Instruction Fuzzy Hash: 26D17071B0060AEFDB10DF98D881BEEB7B9BF88344F168469E915AB281D770DD85CB50

Function 008D1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008D17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008D15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008D1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008D17FB,?,008D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008D16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008D16FB

Part of subcall function 008C3820: RtlAllocateHeap.NTDLL(00000000,?,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6,?,00891129), ref: 008C3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008D1777
__freea.LIBCMT ref: 008D17A2
__freea.LIBCMT ref: 008D17AE

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 4d3ff908644795f8437521da289979f495ec2efce203045aeca2c3f9bef40b9a
Instruction ID: 77cfe1a7553a3ed8c882aae1bec261e55b6a3b81e917058962b7eac9ea85fe6f
Opcode Fuzzy Hash: 4d3ff908644795f8437521da289979f495ec2efce203045aeca2c3f9bef40b9a
Instruction Fuzzy Hash: F091C271F0021AAADF208E64D889AEE7BB5FF49714F18475AE805E7351DB39DD40CBA0

Function 00914523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00914648
VariantInit.OLEAUT32(?), ref: 00914749
VariantClear.OLEAUT32(?), ref: 00914753
VariantClear.OLEAUT32(?), ref: 009147B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 009145D8, 00914706, 009147BE
Incorrect Object type in FOR..IN loop, xrefs: 0091472C

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9688c503f2525d9e25c3dfef56cdc6ced0658273958bfc386d1dc8069d3c406a
Instruction ID: 5ef03288b82c24aa63e82c84709917b15589a1eca57935d92fbb799d5af697dd
Opcode Fuzzy Hash: 9688c503f2525d9e25c3dfef56cdc6ced0658273958bfc386d1dc8069d3c406a
Instruction Fuzzy Hash: 6F917E71A00219ABDF20CFA5DC44FEEBBB8EF4A715F108559F515AB280D7709985CFA0

Function 00901187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0090125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00901284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009012A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009012D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0090135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009013C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00901430

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 388ea769a9abd7beb4e076f9f4d3a7df7e4338d52b17d41144b8c8b749fef323
Instruction ID: f8d4fcf2b37ea6b277d9bc111c26ad70056283df16f82a4d34452c989ecf17ae
Opcode Fuzzy Hash: 388ea769a9abd7beb4e076f9f4d3a7df7e4338d52b17d41144b8c8b749fef323
Instruction Fuzzy Hash: BC910471A00219AFEB00DFA8C884BBEB7B9FF45314F144429E951EB2E1D778E941CB91

Function 008A948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6085ff2506db088b20c7c5a03fe3925442d3a5cb2c9821974ed04c834f2bcd9d
Instruction ID: a1145ac603871512a19b94177d030b28bc5be733185f826afa8610ddd4937af2
Opcode Fuzzy Hash: 6085ff2506db088b20c7c5a03fe3925442d3a5cb2c9821974ed04c834f2bcd9d
Instruction Fuzzy Hash: 8A913471D08219EFDB10CFA9C885AEEBBB9FF4A320F148049E555F7251D374AA42CB60

Function 00913947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0091396B
CharUpperBuffW.USER32(?,?), ref: 00913A7A
_wcslen.LIBCMT ref: 00913A8A
VariantClear.OLEAUT32(?), ref: 00913C1F

Part of subcall function 00900CDF: VariantInit.OLEAUT32(00000000), ref: 00900D1F
Part of subcall function 00900CDF: VariantCopy.OLEAUT32(?,?), ref: 00900D28
Part of subcall function 00900CDF: VariantClear.OLEAUT32(?), ref: 00900D34

Strings

AUTOIT.ERROR, xrefs: 00913A80, 00913A85
Incorrect Parameter format, xrefs: 009139A6, 00913BA1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b3850bff612c7dbd9565f82ba8f1c289244026ba0c9ec44c6690a987c8a6926e
Instruction ID: 732dc732ba238b740dc02f7b86bf293bf638c2e96c937c632ea5b7752f5665f0
Opcode Fuzzy Hash: b3850bff612c7dbd9565f82ba8f1c289244026ba0c9ec44c6690a987c8a6926e
Instruction Fuzzy Hash: 6A9126746083059FCB14EF28C4809AAB7E8FF89314F14892DF89A97351DB30EE45CB92

Function 00914BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 008F000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?,?,008F035E), ref: 008F002B
Part of subcall function 008F000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?), ref: 008F0046
Part of subcall function 008F000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?), ref: 008F0054
Part of subcall function 008F000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?), ref: 008F0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00914C51
_wcslen.LIBCMT ref: 00914D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00914DCF
CoTaskMemFree.OLE32(?), ref: 00914DDA

Strings

NULL Pointer assignment, xrefs: 00914E23, 00914E52

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: f4787ded3262c71f9a48ab0330593c2ea8c66c47bb5a0e0a42983c66f31f1953
Instruction ID: 7c58e249d08aba12c737af15b8ae531fad84510eb952425e47a8e2c47637133a
Opcode Fuzzy Hash: f4787ded3262c71f9a48ab0330593c2ea8c66c47bb5a0e0a42983c66f31f1953
Instruction Fuzzy Hash: 86911671D0021DAFDF14DFA4D891AEEB7B9FF08310F108569E915A7291EB349A44CFA1

Function 009220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00922183
GetMenuItemCount.USER32(00000000), ref: 009221B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009221DD
_wcslen.LIBCMT ref: 00922213
GetMenuItemID.USER32(?,?), ref: 0092224D
GetSubMenu.USER32(?,?), ref: 0092225B

Part of subcall function 008F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008F3A57
Part of subcall function 008F3A3D: GetCurrentThreadId.KERNEL32 ref: 008F3A5E
Part of subcall function 008F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008F25B3), ref: 008F3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009222E3

Part of subcall function 008FE97B: Sleep.KERNEL32 ref: 008FE9F3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: eabc344969b56246b3b82942e3b6e453b17e78ecfd77e4345cf26a4215a9b33f
Instruction ID: bd33319314f0ca079cb8be9c1da693646763d9b62e369a2f5d24e917e0298903
Opcode Fuzzy Hash: eabc344969b56246b3b82942e3b6e453b17e78ecfd77e4345cf26a4215a9b33f
Instruction Fuzzy Hash: 6771CF75A04215EFCB14EFA8D881AAEB7F5FF48310F148458E926EB355DB35EE018B90

Function 00927E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014D55F0), ref: 00927F37
IsWindowEnabled.USER32(014D55F0), ref: 00927F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0092801E
SendMessageW.USER32(014D55F0,000000B0,?,?), ref: 00928051
IsDlgButtonChecked.USER32(?,?), ref: 00928089
GetWindowLongW.USER32(014D55F0,000000EC), ref: 009280AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009280C3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 85b186346edee454a762078b45dd2ded26b9df1c0b41c03eec2a89fcba33626b
Instruction ID: 373a4acfe1128064269708c3973d68d8ac363e24c30fee13a76b4324c2cb5ee0
Opcode Fuzzy Hash: 85b186346edee454a762078b45dd2ded26b9df1c0b41c03eec2a89fcba33626b
Instruction Fuzzy Hash: E771C27460D224AFEB209F94ED84FFABBB9FF09300F140459F945A72A9CB31A845DB11

Function 008FAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008FAEF9
GetKeyboardState.USER32(?), ref: 008FAF0E
SetKeyboardState.USER32(?), ref: 008FAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 008FAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 008FAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 008FAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008FB020

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 634bb1e444bd1849c31ddfbc6d8d9a6361e9ea2c103833bd2436081605173ce1
Instruction ID: 9e2a8b006d06ee5c0f006963ffa10fea6fb79e6d347324b9c7defab91ca16186
Opcode Fuzzy Hash: 634bb1e444bd1849c31ddfbc6d8d9a6361e9ea2c103833bd2436081605173ce1
Instruction Fuzzy Hash: A751E5E06147D93DFB364234CC45BBA7EA9FB06314F088589E2E9D94C2C798ACC4D761

Function 008FACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008FAD19
GetKeyboardState.USER32(?), ref: 008FAD2E
SetKeyboardState.USER32(?), ref: 008FAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008FADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008FADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008FAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008FAE38

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7d1205352a24a88b5dfce8c98c2bcc08cf9a2cef759970da1931f1d2d9979aea
Instruction ID: 7b0839f7c07967f6f479c16071f6c086473e423640365580cbdbde8624a40e60
Opcode Fuzzy Hash: 7d1205352a24a88b5dfce8c98c2bcc08cf9a2cef759970da1931f1d2d9979aea
Instruction Fuzzy Hash: 9651E6E15047D93DFB3A9334CC85B7A7EA9FB45310F088488E2D9D68C2D294EC88D762

Function 008C542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(008D3CD6,?,?,?,?,?,?,?,?,008C5BA3,?,?,008D3CD6,?,?), ref: 008C5470
__fassign.LIBCMT ref: 008C54EB
__fassign.LIBCMT ref: 008C5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,008D3CD6,00000005,00000000,00000000), ref: 008C552C
WriteFile.KERNEL32(?,008D3CD6,00000000,008C5BA3,00000000,?,?,?,?,?,?,?,?,?,008C5BA3,?), ref: 008C554B
WriteFile.KERNEL32(?,?,00000001,008C5BA3,00000000,?,?,?,?,?,?,?,?,?,008C5BA3,?), ref: 008C5584

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b6293a5b8226746dfd527460bfd9587047d9121c07c37967c770679e460e58a9
Instruction ID: b592460fed2bca848e05c41f4c8fd21d8996e41d5ba95262b13059c7a138133f
Opcode Fuzzy Hash: b6293a5b8226746dfd527460bfd9587047d9121c07c37967c770679e460e58a9
Instruction Fuzzy Hash: E4518BB0A04609AFDF10CFA8D895FEEBBB9FB09300F14451EE555E7291D670EA81CB60

Function 008B2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008B2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 008B2D53
_ValidateLocalCookies.LIBCMT ref: 008B2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 008B2E0C
_ValidateLocalCookies.LIBCMT ref: 008B2E61

Strings

csm, xrefs: 008B2DF6

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e66edebde9864b0690a57c6b9f7bd209fab6d175a2fc7030b0ff66a0ef9a2691
Instruction ID: dc2cb48e3bed56a5415cf978573bb71bc58f26813bf0c546020e8e3c9d08ffd9
Opcode Fuzzy Hash: e66edebde9864b0690a57c6b9f7bd209fab6d175a2fc7030b0ff66a0ef9a2691
Instruction Fuzzy Hash: 25418034A0020DABCF10DF69C855ADEBBA5FF45328F188165E815EB392D731AA15CB91

Function 009110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0091304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0091307A
Part of subcall function 0091304E: _wcslen.LIBCMT ref: 0091309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00911112
WSAGetLastError.WSOCK32 ref: 00911121
WSAGetLastError.WSOCK32 ref: 009111C9
closesocket.WSOCK32(00000000), ref: 009111F9

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e9aa77a039887a0dd765558acdf8bd0122ff19a201c9d8a5e5cb14c40b640f3b
Instruction ID: 22a35a41bc04913a2de8b766ffa6354d49273f3df5d95f505aa87a030de26cf3
Opcode Fuzzy Hash: e9aa77a039887a0dd765558acdf8bd0122ff19a201c9d8a5e5cb14c40b640f3b
Instruction Fuzzy Hash: 4F41C171704208BFDB209F18D884BEABBE9FF45324F148059FA199B291D774AD81CBA1

Function 008FCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008FCF22,?), ref: 008FDDFD

Part of subcall function 008FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008FCF22,?), ref: 008FDE16

lstrcmpiW.KERNEL32(?,?), ref: 008FCF45
MoveFileW.KERNEL32(?,?), ref: 008FCF7F
_wcslen.LIBCMT ref: 008FD005
_wcslen.LIBCMT ref: 008FD01B
SHFileOperationW.SHELL32(?), ref: 008FD061

Strings

\*.*, xrefs: 008FCFF3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c880c18f76dd0ba268155bc24e5077ee26de3664f8bcc1b405367984ea6d4f50
Instruction ID: edcf2192ab8c5ca1cb3eaa2f4f0cca250430c6179b4fc351566481e6e1f45ccd
Opcode Fuzzy Hash: c880c18f76dd0ba268155bc24e5077ee26de3664f8bcc1b405367984ea6d4f50
Instruction Fuzzy Hash: 8841437194521C5FDF12EBB4CA81AEEB7B9FF48380F1000A6E605EB151EE74A785CB51

Function 00922DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00922E1C
GetWindowLongW.USER32(?,000000F0), ref: 00922E4F
GetWindowLongW.USER32(?,000000F0), ref: 00922E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00922EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00922EE0
GetWindowLongW.USER32(?,000000F0), ref: 00922EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00922F0B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6a92ed916b0888ba1bc6f5b2d4d497c43ef927f246aff564aadca37a0e3cb071
Instruction ID: e01ae4b2c0cdd4ce06c9183b634a134414fd44c1c187d16810481b9aef96ed76
Opcode Fuzzy Hash: 6a92ed916b0888ba1bc6f5b2d4d497c43ef927f246aff564aadca37a0e3cb071
Instruction Fuzzy Hash: 83310630619161AFDB21CF58EC84F6937E5FB9A710F1A0164F9118F2B5CBB1A841EF41

Function 008F7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008F7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008F778F
SysAllocString.OLEAUT32(00000000), ref: 008F7792
SysAllocString.OLEAUT32(?), ref: 008F77B0
SysFreeString.OLEAUT32(?), ref: 008F77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008F77DE
SysAllocString.OLEAUT32(?), ref: 008F77EC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d775a19575de979fc5616e6c79a42f5463b4e1c0984bba8f866531ed1e15b72d
Instruction ID: e9e6fc68a0eb46b68f965b5e33d84bc5698acfb6ee08f82ada5813b1ff1a96f9
Opcode Fuzzy Hash: d775a19575de979fc5616e6c79a42f5463b4e1c0984bba8f866531ed1e15b72d
Instruction Fuzzy Hash: E7217F7661821DAFEB10AFB8DC88CBB77ACFB097647148025FA15DB161D6709C428BA4

Function 008F77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008F7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008F7868
SysAllocString.OLEAUT32(00000000), ref: 008F786B
SysAllocString.OLEAUT32 ref: 008F788C
SysFreeString.OLEAUT32 ref: 008F7895
StringFromGUID2.OLE32(?,?,00000028), ref: 008F78AF
SysAllocString.OLEAUT32(?), ref: 008F78BD

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 17545d74acddd1c218d7cba923f32ee2a584f96d7948ecee9cd6c357041b487f
Instruction ID: 106eef1435e90334adef503a7c21a74bacd9e414670f5ecc175c18d1fa6a5dbd
Opcode Fuzzy Hash: 17545d74acddd1c218d7cba923f32ee2a584f96d7948ecee9cd6c357041b487f
Instruction Fuzzy Hash: 56216571618108AFEB10AFB8DC89DBA77ECFB097607108135FA15CB1A1D674DC41DB68

Function 009004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009004F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0090052E

Strings

nul, xrefs: 00900567

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d3246833ab0382e81860d8326f21dec78413d79018fcee45a3de75b83d72e244
Instruction ID: f1143f5d1943ad830d9958046cbb5bf798e4b3ed53822f8a4bb72b7ea8ef79bf
Opcode Fuzzy Hash: d3246833ab0382e81860d8326f21dec78413d79018fcee45a3de75b83d72e244
Instruction Fuzzy Hash: 322148B5500205AFDB209F2ADC45B9E7BF8AF85724F204A29F8A1D62E0E7709951DF20

Function 009005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009005C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00900601

Strings

nul, xrefs: 00900639

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 190284e45730e21fa3af0b0b23c80e2a3e00c1037b4c5f2655fcf02a371b6645
Instruction ID: f2bf7810041671630fa85112cfae38be9079d18335776ad754fba35c4ef967b2
Opcode Fuzzy Hash: 190284e45730e21fa3af0b0b23c80e2a3e00c1037b4c5f2655fcf02a371b6645
Instruction Fuzzy Hash: 44218E755003059FDB209F69DC04B9A77E9AFD5B20F200B19F8A1E72E0DBB199A1DB20

Function 009240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0089600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0089604C
Part of subcall function 0089600E: GetStockObject.GDI32(00000011), ref: 00896060
Part of subcall function 0089600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0089606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00924112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0092411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0092412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00924139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00924145

Strings

Msctls_Progress32, xrefs: 009240E3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 64fd43cc0ddeb635a593b48e198abb2fcaa461eb1be92149fb2b8a4aa9891e83
Instruction ID: 0efd9c9b96ac09b85b2a438241979306f9ca557c9472af2ace9f678fb67c96b7
Opcode Fuzzy Hash: 64fd43cc0ddeb635a593b48e198abb2fcaa461eb1be92149fb2b8a4aa9891e83
Instruction Fuzzy Hash: EA11B6B11502297EEF119F64DC85EE77F5DEF18798F014110FA18A2090C7729C61DBA4

Function 008CD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008CD7A3: _free.LIBCMT ref: 008CD7CC

_free.LIBCMT ref: 008CD82D

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008CD838
_free.LIBCMT ref: 008CD843
_free.LIBCMT ref: 008CD897
_free.LIBCMT ref: 008CD8A2
_free.LIBCMT ref: 008CD8AD
_free.LIBCMT ref: 008CD8B8

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 65305edde989446064f66b714a0c882fc34282cb9b7e0cf5fa8ba4d96dc5e5ed
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 4511F971540B04AAD621BFB4CC46FCB7BBCFF04700F40982DB29DE6892DA75E5098662

Function 008FDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008FDA74
LoadStringW.USER32(00000000), ref: 008FDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008FDA91
LoadStringW.USER32(00000000), ref: 008FDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008FDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008FDAB9

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 1eeec99c28fbeff39b36ddf685a2f3e0182db3c69b347328bbcdf80824dfb73a
Instruction ID: 0f781f505ab670d052c7447d9473b38d5f222099a1790ee591523d8b73c74d20
Opcode Fuzzy Hash: 1eeec99c28fbeff39b36ddf685a2f3e0182db3c69b347328bbcdf80824dfb73a
Instruction Fuzzy Hash: 4E0162F25042187FE720DBA49D89EFF326CEB08305F400492B746E2041E6749E854F74

Function 0090096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(014CDEF8,014CDEF8), ref: 0090097B
EnterCriticalSection.KERNEL32(014CDED8,00000000), ref: 0090098D
TerminateThread.KERNEL32(?,000001F6), ref: 0090099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009009A9
CloseHandle.KERNEL32(?), ref: 009009B8
InterlockedExchange.KERNEL32(014CDEF8,000001F6), ref: 009009C8
LeaveCriticalSection.KERNEL32(014CDED8), ref: 009009CF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 857520afe34f80b9ab1e3fef3c817f6b7e41565e80696c08059e1791fc34165d
Instruction ID: 3e491ae7e93b7133c74f047f371676d6d0f796818ebf393d6248bda8b118b5f8
Opcode Fuzzy Hash: 857520afe34f80b9ab1e3fef3c817f6b7e41565e80696c08059e1791fc34165d
Instruction Fuzzy Hash: 62F01D7145A902EBD7615B94EE89BDA7A29BF41702F501015F111508A1CB749466DF90

Function 00911C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00911DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00911DE1
WSAGetLastError.WSOCK32 ref: 00911DF2
htons.WSOCK32(?,?,?,?,?), ref: 00911EDB
inet_ntoa.WSOCK32(?), ref: 00911E8C

Part of subcall function 008F39E8: _strlen.LIBCMT ref: 008F39F2

Part of subcall function 00913224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0090EC0C), ref: 00913240

_strlen.LIBCMT ref: 00911F35

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: b8afa591edabc033d7e511d3772359fd127e1b924a1977e29d7494128bd2707d
Instruction ID: c9e13be78eadd1bc9490f7bf5f1111db6b7fe40bfd7b22fc91f30e74f43c6b2b
Opcode Fuzzy Hash: b8afa591edabc033d7e511d3772359fd127e1b924a1977e29d7494128bd2707d
Instruction Fuzzy Hash: D7B1C331204304AFD724DF28C885E6A77A5FF85318F58854CF5569B3A2DB71ED82CB92

Function 00895D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00895D30
GetWindowRect.USER32(?,?), ref: 00895D71
ScreenToClient.USER32(?,?), ref: 00895D99
GetClientRect.USER32(?,?), ref: 00895ED7
GetWindowRect.USER32(?,?), ref: 00895EF8

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 75fe73657812472fcfa438f4c16d93a1e25eab13ebe0414d0f4fc8233774502d
Instruction ID: 8396b3010a3de0f5c93e6b5f9602ba207206a21549e88e703b69f4cf05750eb1
Opcode Fuzzy Hash: 75fe73657812472fcfa438f4c16d93a1e25eab13ebe0414d0f4fc8233774502d
Instruction Fuzzy Hash: 41B16875A00A4ADBDF10DFA9C4807EEB7F1FF48310F18951AE8AAD7250DB30AA51DB50

Function 008C01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008C00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C00D6
__allrem.LIBCMT ref: 008C00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C010B
__allrem.LIBCMT ref: 008C0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C0140

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: c81cc3136cad4843ebe30626d44e2ad55db3a3b3989d4093b199840fd3171e95
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 2281B471A00B069BE7249E6CCC42FAAB3F9FF51764F24452EF551D6782EB70D9008B51

Function 008C61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008B82D9,008B82D9,?,?,?,008C644F,00000001,00000001,8BE85006), ref: 008C6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008C644F,00000001,00000001,8BE85006,?,?,?), ref: 008C62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008C63D8
__freea.LIBCMT ref: 008C63E5

Part of subcall function 008C3820: RtlAllocateHeap.NTDLL(00000000,?,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6,?,00891129), ref: 008C3852

__freea.LIBCMT ref: 008C63EE
__freea.LIBCMT ref: 008C6413

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: b77d8afe14024f8bc1b8176401cf181ed45c23648e5510c59450eaf90c41e8f8
Instruction ID: 00a6fa6a01e98331b076555144ebd437dc84c57c9b8fbbb4d7d8c6cb67bc86a7
Opcode Fuzzy Hash: b77d8afe14024f8bc1b8176401cf181ed45c23648e5510c59450eaf90c41e8f8
Instruction Fuzzy Hash: 9651AB72A00256ABEB258E74CC81FAF7BB9FB44750F14463DF805D6281EB34DC61D6A0

Function 0091BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 0091C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0091B6AE,?,?), ref: 0091C9B5
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091C9F1
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA68
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0091BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0091BD25
RegCloseKey.ADVAPI32(00000000), ref: 0091BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0091BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0091BDF3
RegCloseKey.ADVAPI32(?), ref: 0091BDFF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f794215949232e3421cae6a285f38001919c4f4022e939239432a077387459a7
Instruction ID: 5a435f89c20372edb4b16ee94332493d9d3bb5f2c903e5320d383da0a214bfc5
Opcode Fuzzy Hash: f794215949232e3421cae6a285f38001919c4f4022e939239432a077387459a7
Instruction Fuzzy Hash: 9881A270208245EFD714DF28C895E6ABBE9FF84308F14895CF5958B2A2DB31ED45CB92

Function 008EF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 008EF7B9
SysAllocString.OLEAUT32(00000001), ref: 008EF860
VariantCopy.OLEAUT32(008EFA64,00000000), ref: 008EF889
VariantClear.OLEAUT32(008EFA64), ref: 008EF8AD
VariantCopy.OLEAUT32(008EFA64,00000000), ref: 008EF8B1
VariantClear.OLEAUT32(?), ref: 008EF8BB

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: be04dd2ed8602ffa6ca4477e511721213669eb108ffa2620ce914851ad17f4f5
Instruction ID: 9ca8350f74e326352851bafe0a91b227ea8cc2988ec26141465bb7de48c4b8db
Opcode Fuzzy Hash: be04dd2ed8602ffa6ca4477e511721213669eb108ffa2620ce914851ad17f4f5
Instruction Fuzzy Hash: C151D431610354ABDF20BB6AD895B29B7A8FF47314B248466FA05DF293DB708C40CB97

Function 0090910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00897620: _wcslen.LIBCMT ref: 00897625

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009094E5
_wcslen.LIBCMT ref: 00909506
_wcslen.LIBCMT ref: 0090952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00909585

Strings

X, xrefs: 00909412

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 5a8fea82ab531121fdbbf561c3c9ade5b2f051872ff0cc5215b4c045c0efb49f
Instruction ID: b7740c51931fb2979f0764ffea68850a5093cfaeff8d4979e81854ff00d0900b
Opcode Fuzzy Hash: 5a8fea82ab531121fdbbf561c3c9ade5b2f051872ff0cc5215b4c045c0efb49f
Instruction Fuzzy Hash: 3AE18471508301DFDB14EF29C881A6AB7E4FF85314F08896DF8999B2A2DB31DD05CB92

Function 008A920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

BeginPaint.USER32(?,?,?), ref: 008A9241
GetWindowRect.USER32(?,?), ref: 008A92A5
ScreenToClient.USER32(?,?), ref: 008A92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008A92D3
EndPaint.USER32(?,?,?,?,?), ref: 008A9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008E71EA

Part of subcall function 008A9339: BeginPath.GDI32(00000000), ref: 008A9357

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 7045db4160a6d269ecc37e10f43e2ccfc2cb958844391962f9e1a39199f66b83
Instruction ID: 6514513352579e1f14233a119fc3ae45abc0ff542154cfd4ba8e7777d833efe3
Opcode Fuzzy Hash: 7045db4160a6d269ecc37e10f43e2ccfc2cb958844391962f9e1a39199f66b83
Instruction Fuzzy Hash: 3F41AE7010D301AFEB20DF25D885FAA7BB8FF46764F140269F9A4C72A1C7719845EB62

Function 009007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0090080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00900847
EnterCriticalSection.KERNEL32(?), ref: 00900863
LeaveCriticalSection.KERNEL32(?), ref: 009008DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009008F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00900921

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 3a0e42cbc1c2c7abe3620ad355c0be4dd54299217683d5fb581d799aac83fb3b
Instruction ID: cfbdb0ef9748b209feeb7fee04a916a0aea0e29fca6a5fc4e73856daf9881cb0
Opcode Fuzzy Hash: 3a0e42cbc1c2c7abe3620ad355c0be4dd54299217683d5fb581d799aac83fb3b
Instruction Fuzzy Hash: E5415A71900205EFEF149F94DC85AAA77B8FF44300F1480A5ED00DA297DB31DE65DBA5

Function 009281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008EF3AB,00000000,?,?,00000000,?,008E682C,00000004,00000000,00000000), ref: 0092824C
EnableWindow.USER32(?,00000000), ref: 00928272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009282D1
ShowWindow.USER32(?,00000004), ref: 009282E5
EnableWindow.USER32(?,00000001), ref: 0092830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0092832F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c9cc1d86644e4ef5560025918ff80869896e6772d6c14bdcb9c724e0c676af7c
Instruction ID: 68e1a8ed01fa9429796503f7057bec6fe4284c1b8f665c5e4bb68997936aa214
Opcode Fuzzy Hash: c9cc1d86644e4ef5560025918ff80869896e6772d6c14bdcb9c724e0c676af7c
Instruction Fuzzy Hash: 5041F430606650EFDB25CF14E899BE97BE4FF0A754F1842A8E5184F2B6CB72A841DF50

Function 008F4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008F4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008F4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008F4CEA
_wcslen.LIBCMT ref: 008F4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008F4D10
_wcsstr.LIBVCRUNTIME ref: 008F4D1A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 1ffbd0feaa6153225cf7656c67db24f819b8fb3bb3c94931eeb20e7ede110ef2
Instruction ID: 537b091b17044012b5dba95419939518f53c69d59044c6dab0b6eedbfb7e1e35
Opcode Fuzzy Hash: 1ffbd0feaa6153225cf7656c67db24f819b8fb3bb3c94931eeb20e7ede110ef2
Instruction Fuzzy Hash: 532129712042097BFB256B799C09E7F7B9CFF45750F10502AFA05CA192DA75DC0192A1

Function 0090581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00893AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00893A97,?,?,00892E7F,?,?,?,00000000), ref: 00893AC2

_wcslen.LIBCMT ref: 0090587B
CoInitialize.OLE32(00000000), ref: 00905995
CoCreateInstance.OLE32(0092FCF8,00000000,00000001,0092FB68,?), ref: 009059AE
CoUninitialize.OLE32 ref: 009059CC

Strings

.lnk, xrefs: 00905876, 009058C1, 00905985

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: aea3980d4193be85dd1a5700f45b741ef75db5cc2d60cd1b7a08ee89e5957a29
Instruction ID: 27cea194cf9f5b5c9a96783e697fa603594365ea1c7ba99399ed329dd8538d89
Opcode Fuzzy Hash: aea3980d4193be85dd1a5700f45b741ef75db5cc2d60cd1b7a08ee89e5957a29
Instruction Fuzzy Hash: 90D143716086019FCB14EF18C480A2BBBE5FF89714F568859F8999B3A1DB31EC45CF92

Function 008F175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008F0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008F0FCA
Part of subcall function 008F0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008F0FD6
Part of subcall function 008F0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008F0FE5
Part of subcall function 008F0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008F0FEC
Part of subcall function 008F0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008F1002

GetLengthSid.ADVAPI32(?,00000000,008F1335), ref: 008F17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008F17BA
HeapAlloc.KERNEL32(00000000), ref: 008F17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008F17DA
GetProcessHeap.KERNEL32(00000000,00000000,008F1335), ref: 008F17EE
HeapFree.KERNEL32(00000000), ref: 008F17F5

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: dfc1f61f9a236aec6525dd39800802a12a59efc8a2ea54b51a6f13e3b30f3348
Instruction ID: 1b99460e19df00db4ffe5b25b3e6dcba58ed969b77b093cf764619e6d1fe5346
Opcode Fuzzy Hash: dfc1f61f9a236aec6525dd39800802a12a59efc8a2ea54b51a6f13e3b30f3348
Instruction Fuzzy Hash: 6A119A71914209EFDF20AFA4CC4ABBF7BA9FB41355F104018F545D7215C735A945DB60

Function 008F14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008F14FF
OpenProcessToken.ADVAPI32(00000000), ref: 008F1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008F1515
CloseHandle.KERNEL32(00000004), ref: 008F1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008F154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 008F1563

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fe1ac81b5291865aeff939b341a7f2d619fe872d39148d741aca4907ad429fb5
Instruction ID: 8ac34d0e7f981c7a833ef3dd89a91aa7e36b518aa7c59537b7e9f8763331c4bd
Opcode Fuzzy Hash: fe1ac81b5291865aeff939b341a7f2d619fe872d39148d741aca4907ad429fb5
Instruction Fuzzy Hash: A21117B250424DEBDF218FA8DD49BEE7BA9FF48748F144015FA05E2060C3758E65AB64

Function 008B3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008B3379,008B2FE5), ref: 008B3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008B339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008B33B7
SetLastError.KERNEL32(00000000,?,008B3379,008B2FE5), ref: 008B3409

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8bf1427b6c1e58ed48bbdb8936552273d6c2975e0b8a502bd42cc12e1a782484
Instruction ID: f3843b94d3eb060816aeb731c0f98f05000390a25617de0180a93676b6062eab
Opcode Fuzzy Hash: 8bf1427b6c1e58ed48bbdb8936552273d6c2975e0b8a502bd42cc12e1a782484
Instruction Fuzzy Hash: B4014C7321C711BEAA242779BC86AD72F94FB2937A7200229F410C13F1FF114D06B244

Function 008C2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008C5686,008D3CD6,?,00000000,?,008C5B6A,?,?,?,?,?,008BE6D1,?,00958A48), ref: 008C2D78
_free.LIBCMT ref: 008C2DAB
_free.LIBCMT ref: 008C2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,008BE6D1,?,00958A48,00000010,00894F4A,?,?,00000000,008D3CD6), ref: 008C2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,008BE6D1,?,00958A48,00000010,00894F4A,?,?,00000000,008D3CD6), ref: 008C2DEC
_abort.LIBCMT ref: 008C2DF2

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 785c01de04452403a343c4518a5c8f9f56ce4cdde33b170d693e484e2a4c01f2
Instruction ID: acfbf2508c6e3fe008dd9abc01ae59dac748481b46037c1a828bde75ceb8407c
Opcode Fuzzy Hash: 785c01de04452403a343c4518a5c8f9f56ce4cdde33b170d693e484e2a4c01f2
Instruction Fuzzy Hash: D5F0A471508B056BC622773DBC06F1E2679FBD17A6F24451CF925D21D2EF34C8065162

Function 00928A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008A9693
Part of subcall function 008A9639: SelectObject.GDI32(?,00000000), ref: 008A96A2
Part of subcall function 008A9639: BeginPath.GDI32(?), ref: 008A96B9
Part of subcall function 008A9639: SelectObject.GDI32(?,00000000), ref: 008A96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00928A4E
LineTo.GDI32(?,00000003,00000000), ref: 00928A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00928A70
LineTo.GDI32(?,00000000,00000003), ref: 00928A80
EndPath.GDI32(?), ref: 00928A90
StrokePath.GDI32(?), ref: 00928AA0

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e35991cb2a25d683a2dbe62942e4539640db5a03e0915dfb127cada377b1275a
Instruction ID: 3de60fd1ec9568026d009b60cdd3aef0d763d0b783cab860b15198f07e61385f
Opcode Fuzzy Hash: e35991cb2a25d683a2dbe62942e4539640db5a03e0915dfb127cada377b1275a
Instruction Fuzzy Hash: 53110C76044118FFEF129F94EC48E9A7F6CEB08350F048011FA1995161C7719D55EBA0

Function 008F51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008F5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 008F5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008F5230
ReleaseDC.USER32(00000000,00000000), ref: 008F5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008F524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 008F5261

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9b2817c7ee01dcd5f80f787d5017437d8a7acd3bd9bc973a517b38a8e6fdfbb9
Instruction ID: a861ca3202c212cbc79cc8c67620575fee052b21dbe0a1db3d2ceb64509d7d38
Opcode Fuzzy Hash: 9b2817c7ee01dcd5f80f787d5017437d8a7acd3bd9bc973a517b38a8e6fdfbb9
Instruction Fuzzy Hash: 48018FB5E04709BBEB109BB69C49A5EBFB8FF48751F044165FB04E7281DA709801DFA0

Function 00891BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00891BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00891BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00891C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00891C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00891C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00891C22

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 162e399e505a24b591f771e77441393ccb3f858eaabe6e0e54d0adaf209772d7
Instruction ID: eea579446825d141c8d2115a1b9c3dbf81a4614a7054e69e288f98ad2198da46
Opcode Fuzzy Hash: 162e399e505a24b591f771e77441393ccb3f858eaabe6e0e54d0adaf209772d7
Instruction Fuzzy Hash: 7A0167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 008FEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008FEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008FEB46
GetWindowThreadProcessId.USER32(?,?), ref: 008FEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008FEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008FEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008FEB75

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 582d84ade9999b157b33cbb2b4f515448ace16cf7c0647282106e514cc6af3f1
Instruction ID: 56dc89909e2670e020781df9c12ef30adc5b0402b38b5af24c85de44155e6bb3
Opcode Fuzzy Hash: 582d84ade9999b157b33cbb2b4f515448ace16cf7c0647282106e514cc6af3f1
Instruction Fuzzy Hash: E6F05EB2254559BBE7315B629C0EEEF3E7CEFCAB11F000158F601E1091D7A05A02E6B5

Function 008E7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 008E7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 008E7469
GetWindowDC.USER32(?), ref: 008E7475
GetPixel.GDI32(00000000,?,?), ref: 008E7484
ReleaseDC.USER32(?,00000000), ref: 008E7496
GetSysColor.USER32(00000005), ref: 008E74B0

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9ab00138564560753740fde624b3eacba3508fd21e80e5ac97f7cb8c3ea76a6e
Instruction ID: 8e296297f82087dfe65852ddcda8075874d5b04e797991ab2645d11f69411d79
Opcode Fuzzy Hash: 9ab00138564560753740fde624b3eacba3508fd21e80e5ac97f7cb8c3ea76a6e
Instruction Fuzzy Hash: 8201867141820AFFEB215FA4DC08BAE7BB5FF05325F200064FA16A21A1CB311E52BB50

Function 008F1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008F187F
UnloadUserProfile.USERENV(?,?), ref: 008F188B
CloseHandle.KERNEL32(?), ref: 008F1894
CloseHandle.KERNEL32(?), ref: 008F189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008F18A5
HeapFree.KERNEL32(00000000), ref: 008F18AC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2b8441044dd6da01261c9ebb56d09458b8a5b60d229e60207c9768dfa2afa097
Instruction ID: 9366f82320da1377446cc83df21c79aa5d93bb69bdba0f6ee770553e3302b352
Opcode Fuzzy Hash: 2b8441044dd6da01261c9ebb56d09458b8a5b60d229e60207c9768dfa2afa097
Instruction Fuzzy Hash: EFE0E5B601C501BBDB115FA1ED0D90EBF39FF49B22B208620F22581075CB329432EF50

Function 008FC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00897620: _wcslen.LIBCMT ref: 00897625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008FC6EE
_wcslen.LIBCMT ref: 008FC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008FC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008FC7CA

Strings

0, xrefs: 008FC6AF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 7d442275b0702e9a38cf3e10a7e50451485ec2720ef950845f45e71f2a4441a0
Instruction ID: 9dc2b56abebf46eddb74e9a0b7973a0833bec75c3f91d596068b0da56ccf200c
Opcode Fuzzy Hash: 7d442275b0702e9a38cf3e10a7e50451485ec2720ef950845f45e71f2a4441a0
Instruction Fuzzy Hash: E751FF7161830C9BD714AF3CCA84A7B77E4FF89314F080A2DFA91D21A0DB64DA04CB52

Function 0091AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0091AEA3

Part of subcall function 00897620: _wcslen.LIBCMT ref: 00897625

GetProcessId.KERNEL32(00000000), ref: 0091AF38
CloseHandle.KERNEL32(00000000), ref: 0091AF67

Strings

<, xrefs: 0091AE6B
@, xrefs: 0091AE72

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 14f959b28b0406468b55f834c487b8677c3154a67855bc70bf52afeb6ea3e1b9
Instruction ID: a0c46bd643ca9c00889b24b1f5d8d383344979f7e2bd875f09d352614bc38b43
Opcode Fuzzy Hash: 14f959b28b0406468b55f834c487b8677c3154a67855bc70bf52afeb6ea3e1b9
Instruction Fuzzy Hash: 87713775A006199FCB14EF58C484A9EBBF4FF08314F048499E816AB3A2C775ED85CB92

Function 008F719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008F7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008F723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008F724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008F72CF

Strings

DllGetClassObject, xrefs: 008F7242

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 279d0af7ee091cada4c303505f3116fc89a0e2fc0ca3d8f4bba1ac5372c4bc2e
Instruction ID: 36f87cb9f829e51b57e1f5932161cd46d6297e31bde84e300c10442857d4c881
Opcode Fuzzy Hash: 279d0af7ee091cada4c303505f3116fc89a0e2fc0ca3d8f4bba1ac5372c4bc2e
Instruction Fuzzy Hash: 8C416471604208DFEB15CF64C885AAA7BB9FF44314F1480ADBE06DF20AD7B1D945DBA0

Function 00923D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00923E35
IsMenu.USER32(?), ref: 00923E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00923E92
DrawMenuBar.USER32 ref: 00923EA5

Strings

0, xrefs: 00923D89

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 2ad7abd2a4ad207f45cd08c01df3d9a2624ca250d76648dd510d55eb3ecc3a0a
Instruction ID: 7f9a09f8ccb554807fb5ae09e4c9835d687979b188446115cd6d806225fd61d6
Opcode Fuzzy Hash: 2ad7abd2a4ad207f45cd08c01df3d9a2624ca250d76648dd510d55eb3ecc3a0a
Instruction Fuzzy Hash: 52416A75A10219AFDB10DF50E884EAABBB9FF48350F058029F905A7250D738EE49DF91

Function 008F1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008F1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008F1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 008F1EA9

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

Strings

ListBox, xrefs: 008F1E25
ComboBox, xrefs: 008F1DF0

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: a4398f776e2fcd57d2a68b88b80d30ca3d7450ac57e7ecc148329b1fe087e6e8
Instruction ID: f879df4a10f91db22a8f3084f8c8e93f623f407823ccb268df519e9a891be1ad
Opcode Fuzzy Hash: a4398f776e2fcd57d2a68b88b80d30ca3d7450ac57e7ecc148329b1fe087e6e8
Instruction Fuzzy Hash: A521E571A00108BADF14ABB9DC59CFFB7B8FF45364B144129F925E71E1DB34490AD621

Function 00922F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00922F8D
LoadLibraryW.KERNEL32(?), ref: 00922F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00922FA9
DestroyWindow.USER32(?), ref: 00922FB1

Strings

SysAnimate32, xrefs: 00922F68

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: c8ef3c2749f503ebb21a8fb4040a25deb044eb97a6a295d9d45c29a0f453641e
Instruction ID: 17a8b5ca5daf193e63c7f3f14043255c30bf4c8ec3b5813a290b7c59d7391452
Opcode Fuzzy Hash: c8ef3c2749f503ebb21a8fb4040a25deb044eb97a6a295d9d45c29a0f453641e
Instruction Fuzzy Hash: 4521AE71204215BBEB208F64ED80FFB77BDEB59364F100618F950D2198D771DC51A760

Function 008B4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008B4D1E,008C28E9,?,008B4CBE,008C28E9,009588B8,0000000C,008B4E15,008C28E9,00000002), ref: 008B4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008B4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,008B4D1E,008C28E9,?,008B4CBE,008C28E9,009588B8,0000000C,008B4E15,008C28E9,00000002,00000000), ref: 008B4DC3

Strings

CorExitProcess, xrefs: 008B4D98
mscoree.dll, xrefs: 008B4D86

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 57d2189672784ec5dbc28f44ae14053a8234771764cdb62c03eaacbe2d800155
Instruction ID: 219a1ab693b85528c9f5fc67158d99352c3ecb95ecacb7628ea07242050373e8
Opcode Fuzzy Hash: 57d2189672784ec5dbc28f44ae14053a8234771764cdb62c03eaacbe2d800155
Instruction Fuzzy Hash: B2F0AF70A14208BBDB209F90DC0ABEEBBB4EF44752F0400A4F806E22A1CB305941EF90

Function 00894E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00894EDD,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00894EAE
FreeLibrary.KERNEL32(00000000,?,?,00894EDD,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00894EA8
kernel32.dll, xrefs: 00894E94

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: bb3764242af25ccf8875f94623771d38bf81281cd4fe5137e1873f013118601e
Instruction ID: a9076c19f736bd579ecdd0468ec54184cc2291c82589bf86e75f5e575a6dbaea
Opcode Fuzzy Hash: bb3764242af25ccf8875f94623771d38bf81281cd4fe5137e1873f013118601e
Instruction Fuzzy Hash: BDE08675A195225B973127257C19E5F6654FFC1B737090115FC05D2101DB60CD0791E0

Function 00894E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008D3CDE,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00894E74
FreeLibrary.KERNEL32(00000000,?,?,008D3CDE,?,00961418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00894E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00894E6E
kernel32.dll, xrefs: 00894E5B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: a7b161a1ee95379cf5ea520ff6fd16736da689df435fe526461b3b213e3bd779
Instruction ID: ac867e7de419affc7306ff5c3b30c6475d0139bbc80c339d1563c5a03f36ff9f
Opcode Fuzzy Hash: a7b161a1ee95379cf5ea520ff6fd16736da689df435fe526461b3b213e3bd779
Instruction Fuzzy Hash: 8CD0C23292AA31574A322B257C09D8F2A18FF85B653490110BC04E2215CF20CD13D1D0

Function 00902947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00902C05
DeleteFileW.KERNEL32(?), ref: 00902C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00902C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00902CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00902CC0

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 481330c532840c80409dc302f0ea57986791b007776eeed113dc18b3eb2fce1f
Instruction ID: e40e45d5a45c50a0efa2856419dc371cdbf4534d2142af3f02765566630b5abb
Opcode Fuzzy Hash: 481330c532840c80409dc302f0ea57986791b007776eeed113dc18b3eb2fce1f
Instruction Fuzzy Hash: DFB12071D00119AFDF25EBA4CC89EDEB7BDFF49350F1040A6FA09E6191EA349A448F61

Function 0091A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0091A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0091A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0091A468
CloseHandle.KERNEL32(?), ref: 0091A63D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 670eeeacfe6bcf670f1a57c3a9d5e6b77d524262143cab812119e40f78951984
Instruction ID: 647ecda9a7908990410be67196bf5de33223349a39720ad3b97c59b0e3bf0dc1
Opcode Fuzzy Hash: 670eeeacfe6bcf670f1a57c3a9d5e6b77d524262143cab812119e40f78951984
Instruction Fuzzy Hash: 80A17E716043009FD720EF28D886B2AB7E5FF84714F14885DF55ADB292DBB1EC418B92

Function 008CBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00933700), ref: 008CBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0096121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008CBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00961270,000000FF,?,0000003F,00000000,?), ref: 008CBC36
_free.LIBCMT ref: 008CBB7F

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008CBD4B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: d0d6133b49713e9cbf8528494a207a4b5d191d570234197e9311b2324af7d795
Instruction ID: 8e8947c7710687a81c8ee79ab6ac1f377d6d0f82a1de2e74668f5e5eea735344
Opcode Fuzzy Hash: d0d6133b49713e9cbf8528494a207a4b5d191d570234197e9311b2324af7d795
Instruction Fuzzy Hash: 0451E571904609AFCB14EF799C82EAEB7B8FF40360F14426EE520D7291EB70DE409B51

Function 008FE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008FCF22,?), ref: 008FDDFD

Part of subcall function 008FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008FCF22,?), ref: 008FDE16

Part of subcall function 008FE199: GetFileAttributesW.KERNEL32(?,008FCF95), ref: 008FE19A

lstrcmpiW.KERNEL32(?,?), ref: 008FE473
MoveFileW.KERNEL32(?,?), ref: 008FE4AC
_wcslen.LIBCMT ref: 008FE5EB
_wcslen.LIBCMT ref: 008FE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008FE650

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f62705e242f4c59cfc6c754ebe85f4b3fc2837e9be5a967aacc7b7268909d68e
Instruction ID: b836fc3e9e8f83436bfbbf3786878aa04d47553aa0371e64b8f2bcb9f570db5b
Opcode Fuzzy Hash: f62705e242f4c59cfc6c754ebe85f4b3fc2837e9be5a967aacc7b7268909d68e
Instruction Fuzzy Hash: FF5120B24087495BC724EBA8DC819EB73DCFF94344F00492EF689D3161EE75A6888767

Function 0091B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 0091C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0091B6AE,?,?), ref: 0091C9B5
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091C9F1
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA68
Part of subcall function 0091C998: _wcslen.LIBCMT ref: 0091CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0091BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0091BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0091BB63
RegCloseKey.ADVAPI32(?,?), ref: 0091BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0091BBB3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 4853edd2dbe853952310f745895acb21110cef82d40ecd5ecb51613c4ff113eb
Instruction ID: 9686adb7d86a8109ce1aabb3238a91cba2389f20b442ecc980cadea9b9c0fbfc
Opcode Fuzzy Hash: 4853edd2dbe853952310f745895acb21110cef82d40ecd5ecb51613c4ff113eb
Instruction Fuzzy Hash: 5E61B571208245EFD714DF18C490E6ABBE9FF84308F54895DF4998B2A2DB31ED85CB92

Function 008F8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F8BCD
VariantClear.OLEAUT32 ref: 008F8C3E
VariantClear.OLEAUT32 ref: 008F8C9D
VariantClear.OLEAUT32(?), ref: 008F8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008F8D3B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e946fbc4b7f533ffc11d703534dcd48bbd09719877656c8e6a7d8c44340fe803
Instruction ID: 67283b9025c256c4d99c309737b2b1f6b31b8f42394fa46bf94832354ac0459a
Opcode Fuzzy Hash: e946fbc4b7f533ffc11d703534dcd48bbd09719877656c8e6a7d8c44340fe803
Instruction Fuzzy Hash: 315178B5A00619EFCB10DF68C884AAAB7F9FF89314B158559FA09DB354E730E911CF90

Function 00908AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00908BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00908BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00908C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00908C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00908C5F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6fa7299301529e2da40c5550380f71f3af5b37259a1c539456d5244f10e81fec
Instruction ID: 5b6b4af71a70197069028913bcf2055378c93cef6636658d25bab227af701da3
Opcode Fuzzy Hash: 6fa7299301529e2da40c5550380f71f3af5b37259a1c539456d5244f10e81fec
Instruction Fuzzy Hash: 89513835A002149FDF11EF68C880A6ABBF5FF49314F088458E849AB3A2DB35ED51CB91

Function 00918EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00918F40
GetProcAddress.KERNEL32(00000000,?), ref: 00918FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00918FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00919032
FreeLibrary.KERNEL32(00000000), ref: 00919052

Part of subcall function 008AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00901043,?,7529E610), ref: 008AF6E6
Part of subcall function 008AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,008EFA64,00000000,00000000,?,?,00901043,?,7529E610,?,008EFA64), ref: 008AF70D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 8ffe4875f20ab971f211586ee2b5d99aebd584a0ccf18d4466f2bc52993746a9
Instruction ID: 7b01fa639d463f72f95aea343542e33fc65fc392ecf25cfcffb75f9318ea22a4
Opcode Fuzzy Hash: 8ffe4875f20ab971f211586ee2b5d99aebd584a0ccf18d4466f2bc52993746a9
Instruction Fuzzy Hash: 62515D35604209DFCB15EF58C4948EDBBF5FF49314B0980A8E806AB362DB31ED86CB91

Function 00926B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00926C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00926C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00926C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0090AB79,00000000,00000000), ref: 00926C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00926CC7

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 1df5a5c123dea75a92825240a165569080cf1547059d323ab24ef1d5f8bf6cac
Instruction ID: 38402f44143c325de33a25f304860ed3e37a8b041f4d4a3f14e708bc8bb4dfcb
Opcode Fuzzy Hash: 1df5a5c123dea75a92825240a165569080cf1547059d323ab24ef1d5f8bf6cac
Instruction Fuzzy Hash: 4E411975A08124AFD724EF28EC54FA97BA9EB09360F140268FAD5E76E4C371ED41DA40

Function 008C2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008C20C3
_free.LIBCMT ref: 008C20E3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1001099342ee0e75326a010fbac857561d4084ce84ddb9916e62635b5a68112f
Instruction ID: c9996cdf585df99e861454ddd6486121cd2dfc26f8f375058236e0b607dcd33c
Opcode Fuzzy Hash: 1001099342ee0e75326a010fbac857561d4084ce84ddb9916e62635b5a68112f
Instruction Fuzzy Hash: 3641AC72A002049FDB24DFB8C881F59B7B5FF89314F1545ADE615EB292DA31E901CB81

Function 008A912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008A9141
ScreenToClient.USER32(00000000,?), ref: 008A915E
GetAsyncKeyState.USER32(00000001), ref: 008A9183
GetAsyncKeyState.USER32(00000002), ref: 008A919D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9461139d6277a8b5c4af5de617da8afdb5bbd3f372f5b3196869e30a8cec38db
Instruction ID: ada97c0dbfb87d778ce59bc92143b4b8b4b32aaf5670809ff9b06338621777b9
Opcode Fuzzy Hash: 9461139d6277a8b5c4af5de617da8afdb5bbd3f372f5b3196869e30a8cec38db
Instruction Fuzzy Hash: 78417D71A0C65AFBDF159F68C848BEEB774FF06324F20821AE469E7290C7346950DB91

Function 00903874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009038CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00903922
TranslateMessage.USER32(?), ref: 0090394B
DispatchMessageW.USER32(?), ref: 00903955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00903966

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b6ef675ebc704942df552debba786d1ad856a8f3874756b81c86cd44180c630b
Instruction ID: 6723ec51ac6f82d924e7cfe5409d539c65ddb55a0b94889c800be323648f33e2
Opcode Fuzzy Hash: b6ef675ebc704942df552debba786d1ad856a8f3874756b81c86cd44180c630b
Instruction Fuzzy Hash: C531B370928341DFEB39CB359949FB637ACAB05304F08856DE472C21E0E3F49A85EB51

Function 0090CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0090C21E,00000000), ref: 0090CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0090CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0090C21E,00000000), ref: 0090CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0090C21E,00000000), ref: 0090CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0090C21E,00000000), ref: 0090CFF2

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 369fe9c6187f76d42e9296f31e61bbb7791ed3436b21fb50d415d9b2a3ea2dcc
Instruction ID: ffd49d1829d296ac4c12628e91b0cf321d674bb8a5bd388dadb51902435f500f
Opcode Fuzzy Hash: 369fe9c6187f76d42e9296f31e61bbb7791ed3436b21fb50d415d9b2a3ea2dcc
Instruction Fuzzy Hash: 3D317AB1604206EFDB20DFA9C884AAFBBFDEF04351B10452EF616D2181DB30EE419B61

Function 008F1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008F1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008F19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008F19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008F19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008F19E2

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6bb881217acb38fe42ddb2cce22df4ce6871f358605b7b6f14137a4a0fc7b958
Instruction ID: e6b6df2bb3951edd50de96c3c03d1d11998ba801a70c3e9ea41bed13638d8faf
Opcode Fuzzy Hash: 6bb881217acb38fe42ddb2cce22df4ce6871f358605b7b6f14137a4a0fc7b958
Instruction Fuzzy Hash: 95318A71A1021DEFDB14CFB8C999AAE3BB5FB04315F504229FA21E72D1C7B09954DB90

Function 00925706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00925745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0092579D
_wcslen.LIBCMT ref: 009257AF
_wcslen.LIBCMT ref: 009257BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00925816

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 8256d361bcb5061a66a65b7e1ac5d08c3d6e9610825105fab9137ca77d1df4af
Instruction ID: 1d9666ce7efdd1eb66adc868745c91574878c5d5a9e11b646e81e3ffc1802278
Opcode Fuzzy Hash: 8256d361bcb5061a66a65b7e1ac5d08c3d6e9610825105fab9137ca77d1df4af
Instruction Fuzzy Hash: F921B675904628DADB209FA5EC85AEDBBBCFF44324F108216F929EB198D770C985CF50

Function 00910930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00910951
GetForegroundWindow.USER32 ref: 00910968
GetDC.USER32(00000000), ref: 009109A4
GetPixel.GDI32(00000000,?,00000003), ref: 009109B0
ReleaseDC.USER32(00000000,00000003), ref: 009109E8

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 06998ed2f48ea3e09dcf7163dc4beaf85a85ea81796c49116a935ffa5c75f7c4
Instruction ID: fc889a01492ca9adfea521cf862d1981071a8fcec171d842f30157e5b80be1bd
Opcode Fuzzy Hash: 06998ed2f48ea3e09dcf7163dc4beaf85a85ea81796c49116a935ffa5c75f7c4
Instruction Fuzzy Hash: E321C375600204AFD714EF68D884AAEBBF9FF84740F048428F84AD7762CB70AC44DB90

Function 008CCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008CCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008CCDE9

Part of subcall function 008C3820: RtlAllocateHeap.NTDLL(00000000,?,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6,?,00891129), ref: 008C3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008CCE0F
_free.LIBCMT ref: 008CCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008CCE31

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a034f443395a7efa69df6fc338c9c9c803142cbef118e70b238a58928e623ca1
Instruction ID: 3d73f9b554fad4a2e0bb1596c8c476f08a29b4d2e9e5b0b9c932c01681ba3238
Opcode Fuzzy Hash: a034f443395a7efa69df6fc338c9c9c803142cbef118e70b238a58928e623ca1
Instruction Fuzzy Hash: 0701D4B26056157F232116BAAC88E7F6A7DFEC7BA1315012DF909C7201EB71CD0291F0

Function 008A9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008A9693
SelectObject.GDI32(?,00000000), ref: 008A96A2
BeginPath.GDI32(?), ref: 008A96B9
SelectObject.GDI32(?,00000000), ref: 008A96E2

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d0407b687efd80d9f58b1909e6e537fc7006cfd32cf3123b871ed927c97c7954
Instruction ID: 6a1816ec7d534e1a8ac2de670f15f3d82c4d3534b3e21bc1eebd86c87e8a9797
Opcode Fuzzy Hash: d0407b687efd80d9f58b1909e6e537fc7006cfd32cf3123b871ed927c97c7954
Instruction Fuzzy Hash: 82217F7082E305EBEF119F68ED157A93BA8FF22355F18021AF450E61A1D3B05891EF94

Function 008F5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008F5726
_memcmp.LIBVCRUNTIME ref: 008F5744
_memcmp.LIBVCRUNTIME ref: 008F5757
_memcmp.LIBVCRUNTIME ref: 008F576F
_memcmp.LIBVCRUNTIME ref: 008F5787

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c4a173d51d62db05dab024dd6f6a04a15afea57be95124c231341d7269c4a20a
Instruction ID: 67f9b8b4b3f4b2716e3f6f5c0dc6c0ab026919c34c800428fced8593851aac38
Opcode Fuzzy Hash: c4a173d51d62db05dab024dd6f6a04a15afea57be95124c231341d7269c4a20a
Instruction Fuzzy Hash: 2201B562645A1DBBD608A525AD92FFB739CFB65398F504030FF09DE341F764ED1082A1

Function 008C2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,008BF2DE,008C3863,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6), ref: 008C2DFD
_free.LIBCMT ref: 008C2E32
_free.LIBCMT ref: 008C2E59
SetLastError.KERNEL32(00000000,00891129), ref: 008C2E66
SetLastError.KERNEL32(00000000,00891129), ref: 008C2E6F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2df209b11a80dd567f5c274873663bca9bd5edacc30bb7791281583b4ec42dd9
Instruction ID: bf2116d3df90e41343924c1d8d59a0181fb843271b4df70c654ae7389176c533
Opcode Fuzzy Hash: 2df209b11a80dd567f5c274873663bca9bd5edacc30bb7791281583b4ec42dd9
Instruction Fuzzy Hash: 6201F476209B046BCA2267796C45F2F267DFBC13B6B20442CF421F21D3EB30CC065121

Function 008F000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?,?,008F035E), ref: 008F002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?), ref: 008F0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?), ref: 008F0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?), ref: 008F0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008EFF41,80070057,?,?), ref: 008F0070

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3c59fabc5d1f2be3a4f8ae39bd8c1197525a8071cd0381f4eb8bd16da40595ef
Instruction ID: 996d81a607fe431b0494c991840a1f8bfc2b7d8be3bd84f0a2ba8ac2306009da
Opcode Fuzzy Hash: 3c59fabc5d1f2be3a4f8ae39bd8c1197525a8071cd0381f4eb8bd16da40595ef
Instruction Fuzzy Hash: BA0171B2610608BFDB204F64DC04BAE7AADEB84751F144114FA05D2211EB71DD459BA0

Function 008FE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 008FE997
QueryPerformanceFrequency.KERNEL32(?), ref: 008FE9A5
Sleep.KERNEL32(00000000), ref: 008FE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 008FE9B7
Sleep.KERNEL32 ref: 008FE9F3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: af1b562f98bf66f7b4a1a1d62c8abf7aeeb487b37fbb805fdb5e7419e666fd68
Instruction ID: 7834fbcbb7eedc4f9506254d4788c0ef7d379653e8b186cd35a6a7eeecee5058
Opcode Fuzzy Hash: af1b562f98bf66f7b4a1a1d62c8abf7aeeb487b37fbb805fdb5e7419e666fd68
Instruction Fuzzy Hash: 35013571E09A2DDBCF10ABF4D849AEDBB78FB09700F000546E602F2261CB7096569BA1

Function 008F10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008F1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008F0B9B,?,?,?), ref: 008F1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008F114D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 47f43c93035eee5af57bb43a6c12ce668e3074bac4f66ef9037bc1c75ac4b640
Instruction ID: b0e202b6b73844dc29a0a72f57d7ec85bb6dca52e81211b43f60cdaefbdc648f
Opcode Fuzzy Hash: 47f43c93035eee5af57bb43a6c12ce668e3074bac4f66ef9037bc1c75ac4b640
Instruction Fuzzy Hash: F7016DB9104205BFDF214F64DC4DA6A3B6EFF85360B100414FA41C3350DB31DC419A60

Function 008F0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008F0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008F0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008F0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008F0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008F1002

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e673f34a0e0819afe7bee31f064819c4e09d33a569848f1d91c6eda0c1a1cd8a
Instruction ID: 97448b9584348cb438b3f5d48a3c354d16ac5c9e7afff3853ad89acc9d50fa43
Opcode Fuzzy Hash: e673f34a0e0819afe7bee31f064819c4e09d33a569848f1d91c6eda0c1a1cd8a
Instruction Fuzzy Hash: 3DF0A9B6204305EBDB214FA49C4EF6A3BADFF89B62F200424FA05C7251CA30DC419A60

Function 008F1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008F102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008F1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008F1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008F104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008F1062

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f886856b2fb3f44aae107a1c3d516cb1e02c879986ad7b0b9b5883a13471a06e
Instruction ID: 070d71bfa0f79a19346e78b50a700fab24018a4a207f4fbfa06868335311854a
Opcode Fuzzy Hash: f886856b2fb3f44aae107a1c3d516cb1e02c879986ad7b0b9b5883a13471a06e
Instruction Fuzzy Hash: C9F0CDB5204305FBDB219FA4EC4DF6A3BADFF89761F200424FA05C7250DE30D8419A60

Function 0090030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 00900324
CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 00900331
CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 0090033E
CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 0090034B
CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 00900358
CloseHandle.KERNEL32(?,?,?,?,0090017D,?,009032FC,?,00000001,008D2592,?), ref: 00900365

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a70286d7a276c6f695caf05ed1656fc8b8be2b20623b2aabdeadd3834bfbd97e
Instruction ID: 276c55b596440314da5acc0843647361ac6e35d7cf47d2e9dce4a3a0b43bb3f3
Opcode Fuzzy Hash: a70286d7a276c6f695caf05ed1656fc8b8be2b20623b2aabdeadd3834bfbd97e
Instruction Fuzzy Hash: 5E01EE72800B019FCB31AF66D880902FBF9BFA03153148A3FD19692970C3B0A948DF80

Function 008CD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008CD752

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008CD764
_free.LIBCMT ref: 008CD776
_free.LIBCMT ref: 008CD788
_free.LIBCMT ref: 008CD79A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d80c708097eca318eea6d483ce4b90e4061137d5fc4d959bbf6389c6ded3a345
Instruction ID: e220a14fc45e069b7df2c685ff5378f8a168b71b0e6cce5ece74675722851d2e
Opcode Fuzzy Hash: d80c708097eca318eea6d483ce4b90e4061137d5fc4d959bbf6389c6ded3a345
Instruction Fuzzy Hash: 89F037B2558304AB8625FB69F9C6E1A7BFDFB04311BA5081DF048E7642CB30FC808A61

Function 008F5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008F5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 008F5C6F
MessageBeep.USER32(00000000), ref: 008F5C87
KillTimer.USER32(?,0000040A), ref: 008F5CA3
EndDialog.USER32(?,00000001), ref: 008F5CBD

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6511f8eb139255b77cdeed87096aac5d11d292b43a55f7a9237b721266b6b332
Instruction ID: 3d20906090c618459d25deeb3a0a387d6f8060e8a5cb43eb1af1dc74e0ebf390
Opcode Fuzzy Hash: 6511f8eb139255b77cdeed87096aac5d11d292b43a55f7a9237b721266b6b332
Instruction Fuzzy Hash: 0B018170514B08ABEB305B20DD5EFBA77B8FF00B06F040559A783E14E1DBF4A9899B91

Function 008C22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008C22BE

Part of subcall function 008C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000), ref: 008C29DE
Part of subcall function 008C29C8: GetLastError.KERNEL32(00000000,?,008CD7D1,00000000,00000000,00000000,00000000,?,008CD7F8,00000000,00000007,00000000,?,008CDBF5,00000000,00000000), ref: 008C29F0

_free.LIBCMT ref: 008C22D0
_free.LIBCMT ref: 008C22E3
_free.LIBCMT ref: 008C22F4
_free.LIBCMT ref: 008C2305

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9f919aef6e75ff38344997cea10890333bd8590f4d90880da6e8ca4647b2b873
Instruction ID: fcf8f3d53e1d20d05e742ada8fada829316d2f76b2c9be80c436352b64ef00b2
Opcode Fuzzy Hash: 9f919aef6e75ff38344997cea10890333bd8590f4d90880da6e8ca4647b2b873
Instruction Fuzzy Hash: 26F03AB08693209FC612AF58BC41E093FB4F718762744050EF420D22F1CBB18911FFA5

Function 008A95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008A95D4
StrokeAndFillPath.GDI32(?,?,008E71F7,00000000,?,?,?), ref: 008A95F0
SelectObject.GDI32(?,00000000), ref: 008A9603
DeleteObject.GDI32 ref: 008A9616
StrokePath.GDI32(?), ref: 008A9631

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 122f25731a0fa83f256ecef8895bdbd307b6c5ea393627ae9111fe9819ece7ab
Instruction ID: a5f51ffb634a40b581750eb80dca655265090404dddb4d56790917903653e318
Opcode Fuzzy Hash: 122f25731a0fa83f256ecef8895bdbd307b6c5ea393627ae9111fe9819ece7ab
Instruction Fuzzy Hash: 6FF0313042D204EBEB265F55FE1D7683B65FB12362F088218F455954F1C7B04556FF60

Function 008C0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008C10F9
__freea.LIBCMT ref: 008C1117

Part of subcall function 008C1537: _free.LIBCMT ref: 008C154F

Strings

a/p, xrefs: 008C11DE
am/pm, xrefs: 008C117A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3caa4be8e072c86c4eb47f656362b12cf226671f3d50c6b1aecaf40434c3c379
Instruction ID: 60eeb540458e2c2d5863636a0b0b1195d138fd9e66eac892b798ebbca2836d80
Opcode Fuzzy Hash: 3caa4be8e072c86c4eb47f656362b12cf226671f3d50c6b1aecaf40434c3c379
Instruction Fuzzy Hash: EAD1BD3591024A8ADF249F68C8D9FBAB7B1FB07708F28415EE501DBA52D379DD80CB91

Function 00917B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 008B0242: EnterCriticalSection.KERNEL32(0096070C,00961884,?,?,008A198B,00962518,?,?,?,008912F9,00000000), ref: 008B024D
Part of subcall function 008B0242: LeaveCriticalSection.KERNEL32(0096070C,?,008A198B,00962518,?,?,?,008912F9,00000000), ref: 008B028A

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008B00A3: __onexit.LIBCMT ref: 008B00A9

__Init_thread_footer.LIBCMT ref: 00917BFB

Part of subcall function 008B01F8: EnterCriticalSection.KERNEL32(0096070C,?,?,008A8747,00962514), ref: 008B0202
Part of subcall function 008B01F8: LeaveCriticalSection.KERNEL32(0096070C,?,008A8747,00962514), ref: 008B0235

Strings

5, xrefs: 00917C78
Variable must be of type 'Object'., xrefs: 00917C3A
G, xrefs: 00917C7F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: e3f467f930404e4515299c643ef6b00754212e4d542570dc50e3c2a5d025ee94
Instruction ID: 7aa298177f067df131bb56e170bef14bb37a814fc3d1c2a73f284fa7b4dc3ba9
Opcode Fuzzy Hash: e3f467f930404e4515299c643ef6b00754212e4d542570dc50e3c2a5d025ee94
Instruction Fuzzy Hash: 73917A74B0420EAFCB14EF98D8819EDB7B5FF88304F148459F8469B291DB71AE81CB51

Function 008F2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008FB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008F21D0,?,?,00000034,00000800,?,00000034), ref: 008FB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008F2760

Part of subcall function 008FB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008F21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 008FB3F8

Part of subcall function 008FB32A: GetWindowThreadProcessId.USER32(?,?), ref: 008FB355
Part of subcall function 008FB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008F2194,00000034,?,?,00001004,00000000,00000000), ref: 008FB365
Part of subcall function 008FB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008F2194,00000034,?,?,00001004,00000000,00000000), ref: 008FB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008F27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008F281A

Strings

@, xrefs: 008F2832

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 5532e864ecb6f37e637ea34c78d954de26e0ade6a4c2252d4561cf38fc4465fa
Instruction ID: c383f6e20b7b1719edc9e24200a411f503b62a9e1fe7da3e8d31f211c34bf04a
Opcode Fuzzy Hash: 5532e864ecb6f37e637ea34c78d954de26e0ade6a4c2252d4561cf38fc4465fa
Instruction Fuzzy Hash: 42411B7290021CAFDB10DBA8CD46AEEBBB8FF09740F104095FA55B7181DB706E45CBA1

Function 008C172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 008C1769
_free.LIBCMT ref: 008C1834
_free.LIBCMT ref: 008C183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 008C1760, 008C1767, 008C1796, 008C17CE

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 930f1782384b36f21632587f5d8da5258ca59e78d7efa5ad08403f4632adf395
Instruction ID: 5f95644aebd25d4ce72e63cf962eb40b61bba765640776cd6d8a69a93b7cd1f5
Opcode Fuzzy Hash: 930f1782384b36f21632587f5d8da5258ca59e78d7efa5ad08403f4632adf395
Instruction Fuzzy Hash: 62316F75A44218AFDF21DF9998C9E9EBBFCFB86310B54416EF404D7212D6B0CA40DB91

Function 008FC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008FC306
DeleteMenu.USER32(?,00000007,00000000), ref: 008FC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00961990,014D56B8), ref: 008FC395

Strings

0, xrefs: 008FC2DF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 27473bd67a85d90174df70c257c2c72c8531020e13e6a9c75897c8f813619e43
Instruction ID: 103c0392ddeb9e4e725056d77e3c994912495326254ba3a46a0c80d52e38d346
Opcode Fuzzy Hash: 27473bd67a85d90174df70c257c2c72c8531020e13e6a9c75897c8f813619e43
Instruction Fuzzy Hash: 8A417B712083099BD720DF39D944A6ABBE4FF85354F14861DFAA5D7391D730AA04CA52

Function 00924416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0092CC08,00000000,?,?,?,?), ref: 009244AA
GetWindowLongW.USER32 ref: 009244C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009244D7

Strings

SysTreeView32, xrefs: 0092447C

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: eff2475c8fcdb0eea4b30f4e0a151a48680a388ce918a1fe73d328ffdc8111f1
Instruction ID: 4d67d0135ecbdda65020d03da9a3c98208c8d9745b9bd216646e67d99e81e131
Opcode Fuzzy Hash: eff2475c8fcdb0eea4b30f4e0a151a48680a388ce918a1fe73d328ffdc8111f1
Instruction Fuzzy Hash: 8C31BA71214625ABDF209E38EC45BEA7BA9EB09334F204714F975A21E4D770EC519B50

Function 0091304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0091335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00913077,?,?), ref: 00913378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0091307A
_wcslen.LIBCMT ref: 0091309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00913106

Strings

255.255.255.255, xrefs: 00913095, 0091309A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 14ddff50c709ee1b0552b4a304189ebc32e9a5971b62eae251812dd8259ecd0c
Instruction ID: 9aa60188fab69e354fc2bc79feb4820c1998bff5f1a7fe4ed7d9015d363fb410
Opcode Fuzzy Hash: 14ddff50c709ee1b0552b4a304189ebc32e9a5971b62eae251812dd8259ecd0c
Instruction Fuzzy Hash: AD31B2357042099FCB20CF29C585AE977F4EF58318F24C099E9159B392D771EE85C761

Function 00923EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00923F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00923F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00923F78

Strings

SysMonthCal32, xrefs: 00923F0B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c354afd905b0345a8f5acfb1c3442ddf27cf424fe2c203b58da740ed3505dc32
Instruction ID: ab3a7957af18ebda2469af9fd0ce7c60c36c62e8eff105e274c475867604fde2
Opcode Fuzzy Hash: c354afd905b0345a8f5acfb1c3442ddf27cf424fe2c203b58da740ed3505dc32
Instruction Fuzzy Hash: 8721EF32610229BBEF218F54EC42FEA3B79EF48718F110214FA05AB1D0D6B5AC55DB90

Function 00924653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00924705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00924713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0092471A

Strings

msctls_updown32, xrefs: 00924684

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: a41d9ea3c27f2922c80e6cb0d585bf47f36881c58f35dcee83abdfab01b684e8
Instruction ID: 996274fc62e9af973c04625607fd09e5bfb85faae05aef0d658af88744ca09fb
Opcode Fuzzy Hash: a41d9ea3c27f2922c80e6cb0d585bf47f36881c58f35dcee83abdfab01b684e8
Instruction Fuzzy Hash: B6215EB5604219AFDB10DF68ECC1DAB37ADEB5A3A4B040059FA14DB351CB70EC11DB60

Function 008F95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008F961D

Strings

#requireadmin, xrefs: 008F95D9
#OnAutoItStartRegister, xrefs: 008F95F3
#notrayicon, xrefs: 008F95B7

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: d1f59b1b7e9f616db9464e32770c16c89a548bab0c9f4047d3bb1b533ee8b5d4
Instruction ID: d66520282380af791397b6f10f89494d4bc46a63f3068f3af4c5ac009ebb7f83
Opcode Fuzzy Hash: d1f59b1b7e9f616db9464e32770c16c89a548bab0c9f4047d3bb1b533ee8b5d4
Instruction Fuzzy Hash: E8213832104129A6D731BA389C12FB773DCFFA5304F144026FB89DB141EB559D45C296

Function 009237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00923840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00923850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00923876

Strings

Listbox, xrefs: 0092380F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 903ad6bc47a7ea7c9f9c38b7333a55f777521af78d38db5c34323c2eaca2f31d
Instruction ID: bb7f2a593fe41276362a9338c56a98038bcc772df979cba5d3116759fb34e168
Opcode Fuzzy Hash: 903ad6bc47a7ea7c9f9c38b7333a55f777521af78d38db5c34323c2eaca2f31d
Instruction Fuzzy Hash: A421D172610228BBEF218F64EC81FBB376EEF89754F10C124F9009B194C675DC528BA0

Function 009049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00904A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00904A5C
SetErrorMode.KERNEL32(00000000,?,?,0092CC08), ref: 00904AD0

Strings

%lu, xrefs: 00904A6F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f37deec56e36ecc44e0012fb885a0c07e9d500751041ad3f3180f8165a89e3bb
Instruction ID: 52583334355338b68ca4b17d1fdfb5540d3687894e3a4977e8198370ac9cba5f
Opcode Fuzzy Hash: f37deec56e36ecc44e0012fb885a0c07e9d500751041ad3f3180f8165a89e3bb
Instruction Fuzzy Hash: 19313075A04109AFDB10DF58C885EAE77F8EF44308F1480A9F905DB252D771ED46CB62

Function 009241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0092424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00924264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00924271

Strings

msctls_trackbar32, xrefs: 00924226

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c204212f5b2aab71b01fc1f58505fc567bfbb66cef6b27d9523dcac92ad1aa71
Instruction ID: 859b0fbdb49f8756b09a404f2614ce29490bdd408a37c71bb27523a74adc9c37
Opcode Fuzzy Hash: c204212f5b2aab71b01fc1f58505fc567bfbb66cef6b27d9523dcac92ad1aa71
Instruction Fuzzy Hash: 0F110231240218BEEF209F69DC06FAB3BACEF95B64F010524FA55E20A0D2B1DC619B60

Function 008F2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00896B57: _wcslen.LIBCMT ref: 00896B6A

Part of subcall function 008F2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008F2DC5
Part of subcall function 008F2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 008F2DD6
Part of subcall function 008F2DA7: GetCurrentThreadId.KERNEL32 ref: 008F2DDD
Part of subcall function 008F2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008F2DE4

GetFocus.USER32 ref: 008F2F78

Part of subcall function 008F2DEE: GetParent.USER32(00000000), ref: 008F2DF9

GetClassNameW.USER32(?,?,00000100), ref: 008F2FC3
EnumChildWindows.USER32(?,008F303B), ref: 008F2FEB

Strings

%s%d, xrefs: 008F2FFF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 5e3ccc3fa9890d249e6728b6157e5ccd4c203776fd56e31437d4331902cff76d
Instruction ID: 64e0b0b8af70665d11d9ff2456bd06aa49a0bed4a8f783f184a6d5421a6be198
Opcode Fuzzy Hash: 5e3ccc3fa9890d249e6728b6157e5ccd4c203776fd56e31437d4331902cff76d
Instruction Fuzzy Hash: B11190B16002096BCF14BF788C85EFD376AFF84314F044075BA09EB252EE70994A9B71

Function 00925882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009258C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009258EE
DrawMenuBar.USER32(?), ref: 009258FD

Strings

0, xrefs: 0092588F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: ce45bd13adbc99315697fd287f51d5d7ef0fc92fd2a04a508649650d4c215ee9
Instruction ID: 8fab075a7c3c769a971878585ea293976800cc36107eb0c203718a32f7588d0a
Opcode Fuzzy Hash: ce45bd13adbc99315697fd287f51d5d7ef0fc92fd2a04a508649650d4c215ee9
Instruction Fuzzy Hash: AC01C031514228EFDB209F51EC44FAEBBB8FF45360F108099F848DA165DB308A94EF21

Function 008ED3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 008ED3BF
FreeLibrary.KERNEL32 ref: 008ED3E5

Strings

X64, xrefs: 008ED2A8
GetSystemWow64DirectoryW, xrefs: 008ED3B9

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 74849476ac59ca70e728ae875e0f080d4ca115f6beb6b6416f8e90d6ea32c305
Instruction ID: 91ced510ec9539a3fb5908540f2794317a951b155fa1ba4f4062fcc059781c8c
Opcode Fuzzy Hash: 74849476ac59ca70e728ae875e0f080d4ca115f6beb6b6416f8e90d6ea32c305
Instruction Fuzzy Hash: F9F0ABB190EB71DBD33152134C5496E3320FF03706B588115FA02E624AE720CD4E82E2

Function 008F007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fd82c879ba3e2ce31200dd62e86fd83288cb32c85ae1efcdf299202c12ba24
Instruction ID: 4130767e3c14e18ebe636a3cab7592b375abbdb4300e7b0c8d3d5072d138eb31
Opcode Fuzzy Hash: 82fd82c879ba3e2ce31200dd62e86fd83288cb32c85ae1efcdf299202c12ba24
Instruction Fuzzy Hash: ADC12A75A0021AEFDB15CFA4C894ABEB7B5FF48704F208598E605EB252D731ED81DB90

Function 008C3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008C3F0B
__alldvrm.LIBCMT ref: 008C410C
__alldvrm.LIBCMT ref: 008C412E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: c08e07e51b4fd94e79180bc41c65dcaf2998f5b0c10ab6e6b2f9086b70116184
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 9CA13571E107869FDB21CE18C8A1FAABBF5FF65350F18816EE585DB282C634C982C751

Function 0091342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00913459
CoUninitialize.OLE32 ref: 00913463
VariantInit.OLEAUT32(?), ref: 0091346E
VariantClear.OLEAUT32(?), ref: 0091371B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 65f288a40c5ab73a70cac958fc35b6087887df398d59b48e7b6305a1d4620310
Instruction ID: 742f202015e15bc9f9fc1bf0996dde310161d19123fc40c7d44675c433d21e2c
Opcode Fuzzy Hash: 65f288a40c5ab73a70cac958fc35b6087887df398d59b48e7b6305a1d4620310
Instruction Fuzzy Hash: E1A13A753082049FDB10EF28C585A6AB7E5FF88710F098859F98ADB362DB30ED45CB52

Function 008F0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0092FC08,?), ref: 008F05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0092FC08,?), ref: 008F0608
CLSIDFromProgID.OLE32(?,?,00000000,0092CC40,000000FF,?,00000000,00000800,00000000,?,0092FC08,?), ref: 008F062D
_memcmp.LIBVCRUNTIME ref: 008F064E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9bad9861abfa99440f53a438982106ed930d28ce6e0eba9738933c111f0763b0
Instruction ID: 26ce51c5aff3e83f511b9377f9417743ca22f17b4ca6402062f8b1063042c107
Opcode Fuzzy Hash: 9bad9861abfa99440f53a438982106ed930d28ce6e0eba9738933c111f0763b0
Instruction Fuzzy Hash: 1481D975A00209EFCB04DFA4C984DEEB7B9FF89315B204558E616EB251DB71AE06CF60

Function 0091A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0091A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0091A6BA

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Process32NextW.KERNEL32(00000000,?), ref: 0091A79C
CloseHandle.KERNEL32(00000000), ref: 0091A7AB

Part of subcall function 008ACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,008D3303,?), ref: 008ACE8A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d326523bb290381904c1d3176648706b3ad3c013979d7ea85de79a7582ad33f0
Instruction ID: 86b233e5b4786c7cd723c5340a458d6f8b93d5101d43d6bb31081086cbb7fa6f
Opcode Fuzzy Hash: d326523bb290381904c1d3176648706b3ad3c013979d7ea85de79a7582ad33f0
Instruction Fuzzy Hash: B5512B71608300AFD710EF28C886A6BBBE8FF89754F44492DF595D7252EB70E904CB92

Function 008D1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008D14C0

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 89070ddf0fdda9ee470bb391120bc39a19c4b3944ebb2fb53891fad9bfcd25a4
Instruction ID: 1a1279d3e089065fa9cfddb69c944f2229467312d94438136aa2f59905e33132
Opcode Fuzzy Hash: 89070ddf0fdda9ee470bb391120bc39a19c4b3944ebb2fb53891fad9bfcd25a4
Instruction Fuzzy Hash: 47412475A00504BBDF256ABD9C4EAAE3BB7FF41330F24432BF418D2392E67488415267

Function 00926278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009262E2
ScreenToClient.USER32(?,?), ref: 00926315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00926382

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 6b30a8aa40d2b6126ed9fbf550d9b704b5868d3a4114cee7ed26577e57fc5910
Instruction ID: 798bface995f71b5cf6cd1ac41f0f252c0ad0f7197750c5d839f295922deb718
Opcode Fuzzy Hash: 6b30a8aa40d2b6126ed9fbf550d9b704b5868d3a4114cee7ed26577e57fc5910
Instruction Fuzzy Hash: A6512B74900219EFCF24DF68E880AAE7BB9FF45360F108159F855976A4D730AD41DB90

Function 00911AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00911AFD
WSAGetLastError.WSOCK32 ref: 00911B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00911B8A
WSAGetLastError.WSOCK32 ref: 00911B94

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 601bca06601fcda3590bbf91bb3637ed9d92aff5db98ff84313f464c447f84b6
Instruction ID: 59caa3116eee64fede5f6db0402b6df154ed850fc9040ffe5ca55cc64c2faa40
Opcode Fuzzy Hash: 601bca06601fcda3590bbf91bb3637ed9d92aff5db98ff84313f464c447f84b6
Instruction Fuzzy Hash: 5141D5747402006FEB20AF24C886F6977E5FB44718F588458F6199F7D2D772ED818B91

Function 008CB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac22f416fec5f2bf2208fe80ca2d466cadaf261f1b52cd597e293bec2ca1e98
Instruction ID: e72b8d36d85f8e7ebf2f4de132728259fb73fa95fd62b10238296a765e08dc96
Opcode Fuzzy Hash: bac22f416fec5f2bf2208fe80ca2d466cadaf261f1b52cd597e293bec2ca1e98
Instruction Fuzzy Hash: 0041C175A04B04AFD7289F7CC842FAABBB9FB88710F10862EF141DB282D771D9018781

Function 009056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00905783
GetLastError.KERNEL32(?,00000000), ref: 009057A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009057CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009057FA

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e3e8e560df0a048135829d047a4dc9211116fbecbbe0354182028d773b3090f5
Instruction ID: 5385bc8e31355a438028d2b0756fcd2278fc72a1f741eea3d6697b52e461d3f2
Opcode Fuzzy Hash: e3e8e560df0a048135829d047a4dc9211116fbecbbe0354182028d773b3090f5
Instruction Fuzzy Hash: 2B410935614610DFCF11EF19C544A1EBBE5FF89320B1A8488E84A9B362CB34FD419B92

Function 008CD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,008B6D71,00000000,00000000,008B82D9,?,008B82D9,?,00000001,008B6D71,8BE85006,00000001,008B82D9,008B82D9), ref: 008CD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008CD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008CD9AB
__freea.LIBCMT ref: 008CD9B4

Part of subcall function 008C3820: RtlAllocateHeap.NTDLL(00000000,?,00961444,?,008AFDF5,?,?,0089A976,00000010,00961440,008913FC,?,008913C6,?,00891129), ref: 008C3852

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9c1ec47517e66a7a9cac3521f4e9b84053197cb04568473857172fabddd0a503
Instruction ID: f079282be524134ace47738c51287a74fd8e35d494c0b509a7050da71d6da63f
Opcode Fuzzy Hash: 9c1ec47517e66a7a9cac3521f4e9b84053197cb04568473857172fabddd0a503
Instruction Fuzzy Hash: 0C31AD72A0020AABDF24EF69DC85EAE7BB5FB41310B05426CFC04DA291EB35CD55CB91

Function 009252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00925352
GetWindowLongW.USER32(?,000000F0), ref: 00925375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00925382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009253A8

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d5eabcf720bd80113ef99abef95dbf76e888e3d428370175af2a221caceb8894
Instruction ID: e9e29a58f8dca7897d40da7ea534f2dfb486d59b99833f767306e52895e082f7
Opcode Fuzzy Hash: d5eabcf720bd80113ef99abef95dbf76e888e3d428370175af2a221caceb8894
Instruction Fuzzy Hash: 6331F670A69A28EFEF34DF14EC05FE83769AB043D0F596401FA10961E4C7B49D40EB81

Function 008FAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 008FABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 008FAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 008FAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 008FACC6

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c68e3abd3e4f788650584ce442043a80a16b798156a7cf98bf845534ad52238f
Instruction ID: a6fac4739232d13d0a6ebad90cf6ba2d9becfb0c7119e95d927b2228646300dd
Opcode Fuzzy Hash: c68e3abd3e4f788650584ce442043a80a16b798156a7cf98bf845534ad52238f
Instruction Fuzzy Hash: 583116B0A0471CAFEB388B75CC047FE7AA5FB49320F04421AE689D22D0D37589859752

Function 00927674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0092769A
GetWindowRect.USER32(?,?), ref: 00927710
PtInRect.USER32(?,?,00928B89), ref: 00927720
MessageBeep.USER32(00000000), ref: 0092778C

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1a7f5894a961813bf3d387967eea9afa8ce53fa52048ae5c671b2d20f44eb78c
Instruction ID: bfddaac8164bbb246eb0ffafecfbecf5c625249e7f449b394fe14045c6415a16
Opcode Fuzzy Hash: 1a7f5894a961813bf3d387967eea9afa8ce53fa52048ae5c671b2d20f44eb78c
Instruction Fuzzy Hash: BA41BF34609225DFCB11CF98E894EA9B7F8FF49304F1840A8E814EB269C370E942DF90

Function 009216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009216EB

Part of subcall function 008F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008F3A57
Part of subcall function 008F3A3D: GetCurrentThreadId.KERNEL32 ref: 008F3A5E
Part of subcall function 008F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008F25B3), ref: 008F3A65

GetCaretPos.USER32(?), ref: 009216FF
ClientToScreen.USER32(00000000,?), ref: 0092174C
GetForegroundWindow.USER32 ref: 00921752

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 569325f60ef5cadb35debbecf0baab3b7162b148bde2ece5391a56d5869d3013
Instruction ID: f7e41268c6ca2ba7f501f07f915b7499d5e9f874fb4aeb573265cd53d5c692f0
Opcode Fuzzy Hash: 569325f60ef5cadb35debbecf0baab3b7162b148bde2ece5391a56d5869d3013
Instruction Fuzzy Hash: 98314171D00159AFCB10EFAAC881CAEB7FDFF88304B548069E415E7211EB319E45CBA1

Function 008FDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00897620: _wcslen.LIBCMT ref: 00897625

_wcslen.LIBCMT ref: 008FDFCB
_wcslen.LIBCMT ref: 008FDFE2
_wcslen.LIBCMT ref: 008FE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 008FE018

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: bdb48a41fcd1a4557f7519fc47781dde3ce44aefdbb92a52c9147e53666d68d5
Instruction ID: 122450ede1d2ba2a19eebcac1bc8d72507a6c5faf3094ba1e68eb5605a7e3f60
Opcode Fuzzy Hash: bdb48a41fcd1a4557f7519fc47781dde3ce44aefdbb92a52c9147e53666d68d5
Instruction Fuzzy Hash: 3E219471900618AFCB219FA8D982BBE77F8FF85750F144065EA05FB352D6709E41CBA2

Function 00928FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

GetCursorPos.USER32(?), ref: 00929001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008E7711,?,?,?,?,?), ref: 00929016
GetCursorPos.USER32(?), ref: 0092905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008E7711,?,?,?), ref: 00929094

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c69698f5cee9c2f3ecf27dabacb501b6cdb5bd8aaa9ac061e8e31e3811d93e73
Instruction ID: 32ba5bd4a1cd5ccaf7a5c060a8f8ec7ddd98a88ba959f6d9f5d89c4e1622b8b7
Opcode Fuzzy Hash: c69698f5cee9c2f3ecf27dabacb501b6cdb5bd8aaa9ac061e8e31e3811d93e73
Instruction Fuzzy Hash: C521D131611028EFDB258F98EC58EFA3BB9FF8A360F044159F90587261C3359991EBA0

Function 008FD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0092CB68), ref: 008FD2FB
GetLastError.KERNEL32 ref: 008FD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 008FD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0092CB68), ref: 008FD376

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 7e0b90c92b7e803adc11f673bad25db16fbfd1bae55d82375e3bc6a9f1719332
Instruction ID: 0f260e00316c9bdcbc2e5c2c4ec768b623e05182feebf32697b9a5932b1ee261
Opcode Fuzzy Hash: 7e0b90c92b7e803adc11f673bad25db16fbfd1bae55d82375e3bc6a9f1719332
Instruction Fuzzy Hash: 43217E715093059F8710EF38C88186E77E5FE55324F244A1DF6A9C32A1EB31D946CB93

Function 008F1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008F102A
Part of subcall function 008F1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008F1036
Part of subcall function 008F1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008F1045
Part of subcall function 008F1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008F104C
Part of subcall function 008F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008F1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008F15BE
_memcmp.LIBVCRUNTIME ref: 008F15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008F1617
HeapFree.KERNEL32(00000000), ref: 008F161E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b4e1d2e701957b8902b02fc8172f477efa40ffa9767dfb803465ae2afad638e1
Instruction ID: c8f79198c2246d97357567c91d74550cb1ecc7df74b7e8ceb5b42ce836940ce2
Opcode Fuzzy Hash: b4e1d2e701957b8902b02fc8172f477efa40ffa9767dfb803465ae2afad638e1
Instruction Fuzzy Hash: D6215571E00108EBDF10DFA4C949BEEB7B8FF94344F084459E541EB241E735AA05DBA0

Function 00922782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0092280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00922824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00922832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00922840

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 99249512fe70acd0bb03a3135c3ded2759685ec4f0ee22dea253fe8272d92883
Instruction ID: a37063b9e522e960bc4e8f15effb0a8112a9cf4468e2279113067c982a12e8a0
Opcode Fuzzy Hash: 99249512fe70acd0bb03a3135c3ded2759685ec4f0ee22dea253fe8272d92883
Instruction Fuzzy Hash: 0E21D331209121BFD714AB24EC44FAA7B99EF85324F148258F426CB6E2CB75FC42CB90

Function 008F78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008F8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,008F790A,?,000000FF,?,008F8754,00000000,?,0000001C,?,?), ref: 008F8D8C
Part of subcall function 008F8D7D: lstrcpyW.KERNEL32(00000000,?,?,008F790A,?,000000FF,?,008F8754,00000000,?,0000001C,?,?,00000000), ref: 008F8DB2
Part of subcall function 008F8D7D: lstrcmpiW.KERNEL32(00000000,?,008F790A,?,000000FF,?,008F8754,00000000,?,0000001C,?,?), ref: 008F8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,008F8754,00000000,?,0000001C,?,?,00000000), ref: 008F7923
lstrcpyW.KERNEL32(00000000,?,?,008F8754,00000000,?,0000001C,?,?,00000000), ref: 008F7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,008F8754,00000000,?,0000001C,?,?,00000000), ref: 008F7984

Strings

cdecl, xrefs: 008F797B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 80b96f399d6443e29b8f14cf7b26bd3feda92f13f6337554f4d991cf233512ba
Instruction ID: 59872374963902ac81e67198721e3df609d09ca7b130a801a4debf293a721292
Opcode Fuzzy Hash: 80b96f399d6443e29b8f14cf7b26bd3feda92f13f6337554f4d991cf233512ba
Instruction Fuzzy Hash: 0611293A304305AFEB259F39CC45D7A77A5FF85350B40402AFA02CB2A5EB759811D791

Function 00927CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00927D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00927D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00927D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0090B7AD,00000000), ref: 00927D6B

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 3fa4e5a4fea251a3521ddaba4b3045c0b620fef0b8f3f1a3b76c791afe5d33a4
Instruction ID: 389961a5b4fcd88ce375810800a1ca7647df326802876eae9373a06a2de5e052
Opcode Fuzzy Hash: 3fa4e5a4fea251a3521ddaba4b3045c0b620fef0b8f3f1a3b76c791afe5d33a4
Instruction Fuzzy Hash: 4111D231119625AFCB108F68EC04E6A7BA9AF46360B154728F835E72F4D7309951DB50

Function 00925660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009256BB
_wcslen.LIBCMT ref: 009256CD
_wcslen.LIBCMT ref: 009256D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00925816

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 6453d33c1820feb9e89b8dc1a04fe909a708f28de5743986acc7560e81473262
Instruction ID: dd84743543f980d5c2b708a66201f49f14c492795880fed0937b23c2d64866a8
Opcode Fuzzy Hash: 6453d33c1820feb9e89b8dc1a04fe909a708f28de5743986acc7560e81473262
Instruction Fuzzy Hash: 6211387560062896DF20DF65EC85AFE77BCFF10360F504426F915D6199E774CA84CB60

Function 008C1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb6d26c475b6a8b5b92af036aa4ddda19e2b10b635d6c81d6fac47d33a00bf7
Instruction ID: a62a5d7f87af05d0f2a068882d801cb21cdb35a7e05092f79ac88993496767e2
Opcode Fuzzy Hash: 3fb6d26c475b6a8b5b92af036aa4ddda19e2b10b635d6c81d6fac47d33a00bf7
Instruction Fuzzy Hash: 31012CB2209A1A7EFA2126786CC5F67666DFF423B8B35032DF622D11D7DA70CC5051A1

Function 008F1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008F1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008F1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008F1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008F1A8A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1dec06718db233bd0ca63044cb45a6e6d8dcaf9ca5d75fa99849ae18dd11ca30
Instruction ID: 750c48f9d343d9e45917f30a6592ac7c18023ee596236027b370e9a5d68159c7
Opcode Fuzzy Hash: 1dec06718db233bd0ca63044cb45a6e6d8dcaf9ca5d75fa99849ae18dd11ca30
Instruction Fuzzy Hash: C811F77A901229FFEF119BA5C985FADBB78FB08750F200091EA04B7290D7716E51DB94

Function 008FE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008FE1FD
MessageBoxW.USER32(?,?,?,?), ref: 008FE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008FE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008FE24D

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 216f156306e76b2a8a0dcc422c5471e22bacffaf61431cca212f425ee7992e78
Instruction ID: d31aab29ede730631f3d2aab7e3e9ce5c24457fdc85029fbcf95c8e5a5013109
Opcode Fuzzy Hash: 216f156306e76b2a8a0dcc422c5471e22bacffaf61431cca212f425ee7992e78
Instruction Fuzzy Hash: 481108B2918258BBD7119FB89C05EAE7FACFB45320F144619F925E3391E2B0990097A0

Function 008BD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,008BCFF9,00000000,00000004,00000000), ref: 008BD218
GetLastError.KERNEL32 ref: 008BD224
__dosmaperr.LIBCMT ref: 008BD22B
ResumeThread.KERNEL32(00000000), ref: 008BD249

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 2f9bfb831f534cbb8ce986e377c24d36baab95e0f4a2b5f1fda2a4f16dedf7a7
Instruction ID: 3d9176804ee7190e17d038734e6780790144f707bfa095af7e4cf304e8d54cab
Opcode Fuzzy Hash: 2f9bfb831f534cbb8ce986e377c24d36baab95e0f4a2b5f1fda2a4f16dedf7a7
Instruction Fuzzy Hash: 1301C476405309BBCB215BA9DC05BEE7A69FF81330F104219F925D22D1EB71990196A1

Function 00929EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 008A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008A9BB2

GetClientRect.USER32(?,?), ref: 00929F31
GetCursorPos.USER32(?), ref: 00929F3B
ScreenToClient.USER32(?,?), ref: 00929F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00929F7A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9c1e42d0786ef6b40a1397f480ee5ccdd321cd51489754ee8195380d2659865f
Instruction ID: f535664f3eee255dbceff041aa3d4a08070f033030f57fc89c514883e20543dd
Opcode Fuzzy Hash: 9c1e42d0786ef6b40a1397f480ee5ccdd321cd51489754ee8195380d2659865f
Instruction Fuzzy Hash: C711337290422AABDB60DFA8E9899EE77B8FF45311F000455F911E3150D334BE86DBA1

Function 0089600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0089604C
GetStockObject.GDI32(00000011), ref: 00896060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0089606A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3c32de1d6360b3bbeda2c5727e20c8255cccea8c33c6f6d4b7786b911dc35a5e
Instruction ID: 06475054b23b93f8439d38bc9ded5b8be98eb9c5b3cb40c4dc594ac5c3ab91d2
Opcode Fuzzy Hash: 3c32de1d6360b3bbeda2c5727e20c8255cccea8c33c6f6d4b7786b911dc35a5e
Instruction Fuzzy Hash: D51161B2505909BFEF225F949C94EEA7B6DFF183A4F080215FA14A2120D7329C60EB91

Function 008B3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 008B3B56

Part of subcall function 008B3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 008B3AD2
Part of subcall function 008B3AA3: ___AdjustPointer.LIBCMT ref: 008B3AED

_UnwindNestedFrames.LIBCMT ref: 008B3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 008B3B7C
CallCatchBlock.LIBVCRUNTIME ref: 008B3BA4

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: dd7f69345c1145cb169f70d04742fcbb0a6cc857663fc4095cc2161966690ea8
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: AE010C32100149BBDF126E99CC46EEB7F6DFF58764F054014FE48A6221D732E961EBA1

Function 008C3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008913C6,00000000,00000000,?,008C301A,008913C6,00000000,00000000,00000000,?,008C328B,00000006,FlsSetValue), ref: 008C30A5
GetLastError.KERNEL32(?,008C301A,008913C6,00000000,00000000,00000000,?,008C328B,00000006,FlsSetValue,00932290,FlsSetValue,00000000,00000364,?,008C2E46), ref: 008C30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008C301A,008913C6,00000000,00000000,00000000,?,008C328B,00000006,FlsSetValue,00932290,FlsSetValue,00000000), ref: 008C30BF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 70f9b874865b3d9ff79edde9898a40747d0b89a130150700597576f379fac956
Instruction ID: 29dc78262edc63637ed034c8e8f9bfa9239c889f03a68f7f2133f3e3ae7d55ac
Opcode Fuzzy Hash: 70f9b874865b3d9ff79edde9898a40747d0b89a130150700597576f379fac956
Instruction Fuzzy Hash: E501FC73315A26ABC7314B78AC44F6777A8FF45761B108628F956D3140C731D903C6D0

Function 008F7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 008F747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008F7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008F74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008F74CA

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f1c816c952e505468976bba74103811dfc5b595a72b4ad07329a020740e51061
Instruction ID: edb388fe435087a25e7e9f651e0c7f1b922b3d6a469a16ace76bcb25da837505
Opcode Fuzzy Hash: f1c816c952e505468976bba74103811dfc5b595a72b4ad07329a020740e51061
Instruction Fuzzy Hash: 58118BB1209319ABF7309F24EC09BA67BFCFB00B04F108569E616D7191D7B0E944DBA4

Function 008FB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008FACD3,?,00008000), ref: 008FB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008FACD3,?,00008000), ref: 008FB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008FACD3,?,00008000), ref: 008FB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008FACD3,?,00008000), ref: 008FB126

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f2c60a7b782ab5fc113e9abb707f0399b3ee08d45f9dddb62f9d257473ca4d45
Instruction ID: 3f76639b403c8b03467e82f74c801e107f38e7731bde82dc8ff6df25c9fc562d
Opcode Fuzzy Hash: f2c60a7b782ab5fc113e9abb707f0399b3ee08d45f9dddb62f9d257473ca4d45
Instruction Fuzzy Hash: 30117970C08A2DEBCF10AFF4E9A96FEBB78FF49311F004085DA41B2281DB3046919B61

Function 00927E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00927E33
ScreenToClient.USER32(?,?), ref: 00927E4B
ScreenToClient.USER32(?,?), ref: 00927E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00927E8A

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bb0f57c91d2b1753e0054cc685b4041333757bc10b31b2e22ec2331839ffdbd0
Instruction ID: 4ae4962cc10eee0dd1d7a32f77d67d73ae68a21955ed522b8bb01b0bf597415d
Opcode Fuzzy Hash: bb0f57c91d2b1753e0054cc685b4041333757bc10b31b2e22ec2331839ffdbd0
Instruction Fuzzy Hash: D01160B9D0420AAFDB51CF98C884AEEBBF9FF08310F108066E911E2210D734AA55DF90

Function 008F2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008F2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 008F2DD6
GetCurrentThreadId.KERNEL32 ref: 008F2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008F2DE4

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 83dd3dd6f55e1ae36fdee80db46bc1a0fb7e97533fa8de9e01eef3d28ec7a98c
Instruction ID: 87a785268d23765320b9063e35b5056cb82876f106046326ef4e952040c1003e
Opcode Fuzzy Hash: 83dd3dd6f55e1ae36fdee80db46bc1a0fb7e97533fa8de9e01eef3d28ec7a98c
Instruction Fuzzy Hash: C6E06DB111962C7BE7302B729C0EEFB7E6CFB42BA1F400215B205D10809AA48842D6F0

Function 00928863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008A9693
Part of subcall function 008A9639: SelectObject.GDI32(?,00000000), ref: 008A96A2
Part of subcall function 008A9639: BeginPath.GDI32(?), ref: 008A96B9
Part of subcall function 008A9639: SelectObject.GDI32(?,00000000), ref: 008A96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00928887
LineTo.GDI32(?,?,?), ref: 00928894
EndPath.GDI32(?), ref: 009288A4
StrokePath.GDI32(?), ref: 009288B2

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 610e930ac1e129eb4a5608cf87dc42dca45165be9538c8877888d124a3e2121e
Instruction ID: 8c8db0735fb03b45bca9111309acb2e33eb9c421d088ddf6ab4ae5483e0fde28
Opcode Fuzzy Hash: 610e930ac1e129eb4a5608cf87dc42dca45165be9538c8877888d124a3e2121e
Instruction Fuzzy Hash: B0F05E3605A668FAEF225F94BC0AFCE3F59AF06311F048000FA11A50E2C7B55522EFE5

Function 008A98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008A98CC
SetTextColor.GDI32(?,?), ref: 008A98D6
SetBkMode.GDI32(?,00000001), ref: 008A98E9
GetStockObject.GDI32(00000005), ref: 008A98F1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 17d614107d90901e72335e0cb96e054e78f1ff6a5ca4cddd16df5d10a11ca089
Instruction ID: cc613b10b2ba7454426d4d5879d2da23f9ba84c9af7164d5a93a3698507a766e
Opcode Fuzzy Hash: 17d614107d90901e72335e0cb96e054e78f1ff6a5ca4cddd16df5d10a11ca089
Instruction Fuzzy Hash: 69E0657125C680AADB315B75AC09BED3F10FB12336F048219F6F5940E2C3714651AB11

Function 008F162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008F1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008F11D9), ref: 008F163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008F11D9), ref: 008F1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008F11D9), ref: 008F164F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b4c41071408deff3d9416af61e6acc2934f530c8444e7ede1762d5fda7be2996
Instruction ID: 45d9d1e0f13b3042dbbf4779e1874588660ee1a3d7240a26efdbe0d31aab375a
Opcode Fuzzy Hash: b4c41071408deff3d9416af61e6acc2934f530c8444e7ede1762d5fda7be2996
Instruction Fuzzy Hash: 72E086B1655211DBDB301FB09D0DB5A3B7CFF54791F144808F345DA080D6388442D754

Function 008ED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008ED858
GetDC.USER32(00000000), ref: 008ED862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008ED882
ReleaseDC.USER32(?), ref: 008ED8A3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: eb3103cd93b4075b57ee3a850edbd38abde5b2b4931f5a290020e80bf8c6cd86
Instruction ID: d1d083a760360a0b902bcd2a3f02459f12aad86d00a9109c261d778d1b5c5148
Opcode Fuzzy Hash: eb3103cd93b4075b57ee3a850edbd38abde5b2b4931f5a290020e80bf8c6cd86
Instruction Fuzzy Hash: DFE01AB1814209DFCF51AFA0D80C66DBBB1FB08710F148419F806E7250CB385902AF40

Function 008ED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008ED86C
GetDC.USER32(00000000), ref: 008ED876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008ED882
ReleaseDC.USER32(?), ref: 008ED8A3

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 75315b9e7f102a52682c9c249b48fc9222a21a04290f68dfdaae7900e117d80b
Instruction ID: 4e2351a7cd76e5f7e7912e87894e0742cf4ba641740ac6d54a06fc148bd825c9
Opcode Fuzzy Hash: 75315b9e7f102a52682c9c249b48fc9222a21a04290f68dfdaae7900e117d80b
Instruction Fuzzy Hash: E4E046B1C18209EFCF60AFA0D80C66DBBB1FF08710F148008F80AE7250CB385902AF80

Function 00904D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00897620: _wcslen.LIBCMT ref: 00897625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00904ED4

Strings

*, xrefs: 00904E10
LPT, xrefs: 00904DFB

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 23d6abf84bbdb1332858065e3ff289ceddb75a2f9d071583951fcc952863a249
Instruction ID: 183ef9c6edd7a807e40c2337f49914a303ca38fe1b03c4fac9d790e340152397
Opcode Fuzzy Hash: 23d6abf84bbdb1332858065e3ff289ceddb75a2f9d071583951fcc952863a249
Instruction Fuzzy Hash: 009151B5A042059FCB14DF58C484EAABBF5FF44304F198099E60A9F3A2D735ED85CB91

Function 008BE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008BE30D

Strings

pow, xrefs: 008BE2E5, 008BE302

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c726548844aef3ce719b6865fd9411d52276f7a285e14f39cf8f14852e957594
Instruction ID: 20fa2c59e782c4ba88b6bda300176c5591e2a39a43cb647f16fe087a964c32b4
Opcode Fuzzy Hash: c726548844aef3ce719b6865fd9411d52276f7a285e14f39cf8f14852e957594
Instruction Fuzzy Hash: 9F515B61A1C6069ADB117718C941BFA2BF4FB40B40F34896CF096C23ADDB35CC959E86

Function 008AE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 008AE1B1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 97dccae56cb8ee8da10713373f8c5abe5e5b9a90e185ffa66c0fad642bf68bea
Instruction ID: f8ef2165b607d9e03b634b0d2b661fe02970c1cecece70b989dd2e5764a190c4
Opcode Fuzzy Hash: 97dccae56cb8ee8da10713373f8c5abe5e5b9a90e185ffa66c0fad642bf68bea
Instruction Fuzzy Hash: 2451127550429ADFEF25EF29C881ABA7BA8FF57310F244459FC91DB280D6309D42CB91

Function 008AF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 008AF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 008AF2BB

Strings

@, xrefs: 008AF2AF

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 396f1206c0c46b536047595e3d402307e9cf826c3e9a3e76436dec83b30b7549
Instruction ID: ce6f411bf9a209eaf79de95eb4acaef18f4010aae72db4202a84a3f047b74edf
Opcode Fuzzy Hash: 396f1206c0c46b536047595e3d402307e9cf826c3e9a3e76436dec83b30b7549
Instruction Fuzzy Hash: 3F51677241C7449BD720AF14D886BAFBBF8FB85300F85884CF29981195EB718569CB67

Function 00915745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009157E0
_wcslen.LIBCMT ref: 009157EC

Strings

CALLARGARRAY, xrefs: 009157E6, 009157EB

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: da9e1481fa158342fef74d12f70ae580318b0976c663d81bc4494ef68540ed71
Instruction ID: d602f0fcccb00ac9e8b770eb5f7f8abfaa145aeaeffce3a017b3d67ec40abfbe
Opcode Fuzzy Hash: da9e1481fa158342fef74d12f70ae580318b0976c663d81bc4494ef68540ed71
Instruction Fuzzy Hash: 11417D71A00209DFCB14DFA9C8829EEBBB9FF99314F164169E505A72A1E7309D81CB91

Function 0090D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0090D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0090D13A

Strings

|, xrefs: 0090D10B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 9ad3ba355ab9312cd5846891ae46684a41b1536d3762e4f6a43cfd7d9d8c631f
Instruction ID: 33c5594afe47378fce896c339df466befb8283bcf9c6d739f19472c644142d64
Opcode Fuzzy Hash: 9ad3ba355ab9312cd5846891ae46684a41b1536d3762e4f6a43cfd7d9d8c631f
Instruction Fuzzy Hash: 17311971D01219AFCF15EFE8CC85AEE7FB9FF04340F140019E815A6262EB31AA16DB51

Function 0092356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00923621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0092365C

Strings

static, xrefs: 009235BC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d937954e42aac52663e3a669bea1b7360325e3b83b0058a507a3d4f9fbb53851
Instruction ID: 3c6e0496939df917bd1463b9a8175ae3deff56ea1caa8e0628f72e13914536a2
Opcode Fuzzy Hash: d937954e42aac52663e3a669bea1b7360325e3b83b0058a507a3d4f9fbb53851
Instruction Fuzzy Hash: DD318F71110614AADB209F28EC81FBB73ADFF88724F108619F8A9D7280DA35AD91D760

Function 00924537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0092461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00924634

Strings

', xrefs: 0092458E

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 85003bc60696edba0970cb855c5c5e9ad547417e6ac508106c4823099a3b4894
Instruction ID: e32b0d08dea804f7eb8f3b34eab4c4846ea30159e321d09be7f1e0b9f970ee41
Opcode Fuzzy Hash: 85003bc60696edba0970cb855c5c5e9ad547417e6ac508106c4823099a3b4894
Instruction Fuzzy Hash: 27314A74A0131A9FDF14CFA9D980BDA7BB9FF09300F14406AE904AB345D770A941CF90

Function 009231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0092327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00923287

Strings

Combobox, xrefs: 00923249

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 704d12aeadd0c078f551213144304156f8361c93d16cc908382c4e09f63dbab1
Instruction ID: 35abfb027a21a278ef5ba2c6b02abe55fadc2ab6f0e35d08433aa45c0a44dfb0
Opcode Fuzzy Hash: 704d12aeadd0c078f551213144304156f8361c93d16cc908382c4e09f63dbab1
Instruction Fuzzy Hash: 1E110471300218BFFF21DF94EC80EBB3B6EEB94364F108128F928A7294D6359D519760

Function 00923710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0089600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0089604C
Part of subcall function 0089600E: GetStockObject.GDI32(00000011), ref: 00896060
Part of subcall function 0089600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0089606A

GetWindowRect.USER32(00000000,?), ref: 0092377A
GetSysColor.USER32(00000012), ref: 00923794

Strings

static, xrefs: 00923757

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 57c62ec37b555fbefad97a555071acb8a64534806048a27fbdd303d71bbcddae
Instruction ID: e8a8300af1ff272f92cac695c1f4f4a7ba32b3b5dfdfc89effc6ef16af06e803
Opcode Fuzzy Hash: 57c62ec37b555fbefad97a555071acb8a64534806048a27fbdd303d71bbcddae
Instruction Fuzzy Hash: 821129B261021AAFDF10DFA8DC45EEE7BB8FB08314F004914F955E2250E775E861DB50

Function 0090CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0090CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0090CDA6

Strings

<local>, xrefs: 0090CD66

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: adb4467dd1f1cba49eb94e30712fa94470f1783abf24033a408e28cca90877e7
Instruction ID: bc4460c4de04dc3bc633fafda91496d0f483812ac28c95858cbd0b6cb006e0be
Opcode Fuzzy Hash: adb4467dd1f1cba49eb94e30712fa94470f1783abf24033a408e28cca90877e7
Instruction Fuzzy Hash: 3B11A0B1215631BED7384B668C49EE7BEACEF127A4F00472AB109930C0E6649885D6F0

Function 00923429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009234AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009234BA

Strings

edit, xrefs: 0092348F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: feef85c44b3273d9faaf5d60dff90b1da49dc7881dbb9ac882c65b466c205cc3
Instruction ID: 5551a2ec559fce5342beab7cb2083a9c3832fa0b8cab1437240054476d5b39d7
Opcode Fuzzy Hash: feef85c44b3273d9faaf5d60dff90b1da49dc7881dbb9ac882c65b466c205cc3
Instruction Fuzzy Hash: 7211B271110118ABEB116F64EC40AAB376EEB04374F508754F961931E8C779DC519B50

Function 008F6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

CharUpperBuffW.USER32(?,?,?), ref: 008F6CB6
_wcslen.LIBCMT ref: 008F6CC2

Strings

STOP, xrefs: 008F6CBC, 008F6CC1

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: c775227b405f7c1e56afca3c9a7c6a2994927e3312464c6333682fe6ed635c95
Instruction ID: b889a45e179380783792d39e0dd16872db8edb0861e8ac35aaa2f06abe476c0a
Opcode Fuzzy Hash: c775227b405f7c1e56afca3c9a7c6a2994927e3312464c6333682fe6ed635c95
Instruction Fuzzy Hash: 3C01C432A1052E9ACB20AFBDDC819BF77B5FB617147110628E9A2D6195FA32D920C650

Function 008F1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008F1D4C

Strings

ListBox, xrefs: 008F1D16
ComboBox, xrefs: 008F1CEB

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 35431c7f3c0d3f3ec9d9c8e603b31364b4fabc731a6214101600162ff7677709
Instruction ID: 0a7232112114af1511888f2b58acdf2c4166093011fd0cc40a439492bbe7d734
Opcode Fuzzy Hash: 35431c7f3c0d3f3ec9d9c8e603b31364b4fabc731a6214101600162ff7677709
Instruction Fuzzy Hash: EA019E7160121CAB8F18FBB9CC698FE73A8FB46354B04061EF962A72D1EA3159088661

Function 008F1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 008F1C46

Strings

ListBox, xrefs: 008F1C10
ComboBox, xrefs: 008F1BE5

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 01aec8b75e8d8c6e306912170e59bb474f8d2614d2c9829cbc4c0db504ba23eb
Instruction ID: abacfa5fe9ed7903835757bdf3ed4032d8a35a9b5d64eb5501945c5438419398
Opcode Fuzzy Hash: 01aec8b75e8d8c6e306912170e59bb474f8d2614d2c9829cbc4c0db504ba23eb
Instruction Fuzzy Hash: A501847568110CA6CF14FBA9C9659FF77A8FB61344F140019EA56F7282EA209B08D6B2

Function 008F1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 008F1CC8

Strings

ListBox, xrefs: 008F1C94
ComboBox, xrefs: 008F1C69

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4a446b29b8aa5ae001f866b66e001c88d7215ce3cd707451f553d78ea8ca90ee
Instruction ID: c70b375d115e2d6a206ae9350af5aac3e2ee7cc38ae6c14e0ea95ddc90a7a618
Opcode Fuzzy Hash: 4a446b29b8aa5ae001f866b66e001c88d7215ce3cd707451f553d78ea8ca90ee
Instruction Fuzzy Hash: 8C01DB71A4011CA7CF14FBB9CE15AFE77A8FB11344F140019B952F3281EA219F08C672

Function 008F1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899CB3: _wcslen.LIBCMT ref: 00899CBD

Part of subcall function 008F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008F3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 008F1DD3

Strings

ListBox, xrefs: 008F1DA0
ComboBox, xrefs: 008F1D75

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c094a9082f924796f96d13966fe442360c8bf41040437831a0f607f8288af5ca
Instruction ID: 6e27e3044c3c43a1efd4ed41200dee472fb466408b8f271f0c69d6a45b6827a2
Opcode Fuzzy Hash: c094a9082f924796f96d13966fe442360c8bf41040437831a0f607f8288af5ca
Instruction Fuzzy Hash: 10F0A471A4121DA6DF14FBBDCC66AFE77B8FB41354F080919F962E32C2DA605A088261

Function 0091747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00917493
_wcslen.LIBCMT ref: 009174B9

Strings

3, 3, 16, 1, xrefs: 00917483

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 51bdc0981eba0067d64e8bba9b0b7e7dadd657812850740f46de180f2bf04455
Instruction ID: 9ccb18a867a110d3cd584ac7405d563808b1caca59a5b7e87f4cefea30b0b062
Opcode Fuzzy Hash: 51bdc0981eba0067d64e8bba9b0b7e7dadd657812850740f46de180f2bf04455
Instruction Fuzzy Hash: 63E0931571521110533112BEACC25FFDA9EDFC57517141417F945C23B7D6548DD193A1

Function 008F0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008F0B23

Strings

AutoIt, xrefs: 008F0B17
Error allocating memory., xrefs: 008F0B1C

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: edbf04d0c457ca3b8cd6f2a043d3724a78e622fb569e3e62279ed9ca5fbd4257
Instruction ID: 79d1b34979f8825693da7cd9c45fdfcd54ad2b71bbd0195dc54c43491d67ceb8
Opcode Fuzzy Hash: edbf04d0c457ca3b8cd6f2a043d3724a78e622fb569e3e62279ed9ca5fbd4257
Instruction Fuzzy Hash: 75E0D8712443183AD22437987C03F8D7AC4EF05B65F100426FB88D55C38AE164A006EB

Function 008B0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008AF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008B0D71,?,?,?,0089100A), ref: 008AF7CE

IsDebuggerPresent.KERNEL32(?,?,?,0089100A), ref: 008B0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0089100A), ref: 008B0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008B0D7F

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: e98187f232b8467cc365c7cd1f765f001b969a9d1dd04f8f425674ef77066a75
Instruction ID: d646998588b46130a2f3afb4fecbde7ce1920fd40d686c662604a90993414a1c
Opcode Fuzzy Hash: e98187f232b8467cc365c7cd1f765f001b969a9d1dd04f8f425674ef77066a75
Instruction Fuzzy Hash: 46E039B02007518BD7309FA8E4087867BE0FB00744F084A2DE492C6796DBB0E4499F91

Function 00903017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0090302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00903044

Strings

aut, xrefs: 00903038

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d4012091efd5484bd595383e65a2380cf9f2718dcfc6d7b6bf61e24a1f63977f
Instruction ID: 0394b88951df0064eaec9f4940d163594cc46867615844116412a8ab2b47e187
Opcode Fuzzy Hash: d4012091efd5484bd595383e65a2380cf9f2718dcfc6d7b6bf61e24a1f63977f
Instruction Fuzzy Hash: 90D05EB2500328B7DA30A7A5AC0EFCB3A6CDB04751F4002A1BA65E2095DEB0D989CBD0

Function 008ED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008ED220

Strings

X64, xrefs: 008ED2A8
%.3d, xrefs: 008ED22B

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 29b5fccc01c1ac0aa2f55ecaf9d58f9d2ce7bc6c0da12847850a498f3443ee6f
Instruction ID: ff8db162e1a5e97f2d19b51c8341910749e4975a4092f31511a82fa09e5cd8f8
Opcode Fuzzy Hash: 29b5fccc01c1ac0aa2f55ecaf9d58f9d2ce7bc6c0da12847850a498f3443ee6f
Instruction Fuzzy Hash: 92D012A180834CE9CB5096E2DC458B9B37CFB0A345F508452FE16E1041D634E50D6761

Function 00922322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0092232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0092233F

Part of subcall function 008FE97B: Sleep.KERNEL32 ref: 008FE9F3

Strings

Shell_TrayWnd, xrefs: 00922325

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 82322f1408afeb82d1c8fb161d120173cc8cda0002a7367d1852b9836bcaf9e0
Instruction ID: fc6f4ea7844e00c6cff70682b6c522e98cc019e8476d8e7ef0982aac0d4d25bf
Opcode Fuzzy Hash: 82322f1408afeb82d1c8fb161d120173cc8cda0002a7367d1852b9836bcaf9e0
Instruction Fuzzy Hash: 79D0A9723A8300B6E274A730AC0FFCA6A04AB00B00F000A06B705AA0E0C8F0A8028A10

Function 00922356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0092236C
PostMessageW.USER32(00000000), ref: 00922373

Part of subcall function 008FE97B: Sleep.KERNEL32 ref: 008FE9F3

Strings

Shell_TrayWnd, xrefs: 00922365

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d899c4ceed68254f761c66023bfdba019560ae0b347000d421f9f6efded274e5
Instruction ID: 513052c7c9e4d86b2dcba99e51c63b9c590a32d61a2473f2823d5ebfbd0ef576
Opcode Fuzzy Hash: d899c4ceed68254f761c66023bfdba019560ae0b347000d421f9f6efded274e5
Instruction Fuzzy Hash: D0D0A972398300BAE274A730AC0FFCA6A04AB04B00F000A06B701EA0E0C8F0A8028A14

Function 008CBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 008CBE93
GetLastError.KERNEL32 ref: 008CBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008CBEFC

Memory Dump Source

Source File: 00000000.00000002.2206557544.0000000000891000.00000020.00000001.01000000.00000003.sdmp, Offset: 00890000, based on PE: true

Associated: 00000000.00000002.2206098544.0000000000890000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206750708.0000000000952000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206901619.000000000095C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206949950.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_890000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 592420267e7f047f2d6918299a6d4389c1436ca798cf8bcf1322cb577a9e8e7a
Instruction ID: e805b988fc35f49ccc34fe6ef4027bca71bf8c7ff91eadd3fe229f692f2db99d
Opcode Fuzzy Hash: 592420267e7f047f2d6918299a6d4389c1436ca798cf8bcf1322cb577a9e8e7a
Instruction Fuzzy Hash: 7141CF34614A16ABDB218FA8CC46FAA7BB4FF41720F14416DF959DB2A1DB30CC01DB61

Analysis Process: firefox.exePID: 7792, Parent PID: 7772COMMON

Executed Functions

Function 0000035CF5DD199E Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.2252815924.0000035CF5DD1000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000035CF5DD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_35cf5dd1000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af382161a8e2625394d1bb39c4c996576ae3b57161127aa4740ac41bd1af269a
Instruction ID: 77adebf7b12ff40593c4c62965789b3553f1923088aa1b53b0f060c948e98637
Opcode Fuzzy Hash: af382161a8e2625394d1bb39c4c996576ae3b57161127aa4740ac41bd1af269a
Instruction Fuzzy Hash: 0E11DD30225E0ACFCF8ADF68C8C1B6477B6FF6A315F140298D649CB296C234A846CB51

Analysis Process: firefox.exePID: 7708, Parent PID: 7792COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000185E249A232 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6822nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00000185E249A297

Strings

>, xrefs: 00000185E249B09C
z, xrefs: 00000185E249B876
A, xrefs: 00000185E249A28F
#, xrefs: 00000185E2498605
4, xrefs: 00000185E249E319
>, xrefs: 00000185E249E33F
#, xrefs: 00000185E249A2C2
#, xrefs: 00000185E249B371
z, xrefs: 00000185E249A2CB
>, xrefs: 00000185E249A2F9

Memory Dump Source

Source File: 00000011.00000002.3388724838.00000185E2491000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000185E2491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_185e2491000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: d237cec4a8ebabd8858e1b0e7f2a7b1b6c8e4621f30666f96f4e55eaf2631d71
Instruction ID: f518a6a078703556c7800a375f7425e1951228558462657333472ce9f1c4aa65
Opcode Fuzzy Hash: d237cec4a8ebabd8858e1b0e7f2a7b1b6c8e4621f30666f96f4e55eaf2631d71
Instruction Fuzzy Hash: 59A3B631614E598FDB2EDF18DC856E9B7D6FB98700F14422EE84BC7255DE34EA028B81

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2290123436.000002A6AED95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362054808.000002A6AED95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2357447069.000002A6AED8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2358230484.000002A6ADBC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358087211.000002A6ADF2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291398529.000002A6ADBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291647869.000002A6ADB63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358474767.000002A6ADB63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358230484.000002A6ADBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2290123436.000002A6AED95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362054808.000002A6AED95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372100516.000002A6A39E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224888591.000002A6A3165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358230484.000002A6ADBC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358087211.000002A6ADF2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291647869.000002A6ADB63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358474767.000002A6ADB63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358230484.000002A6ADBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3385445962.00000234E4B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3385445962.00000234E4B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3385445962.00000234E4B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2224014469.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365643284.000002A6A44BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2343924125.000002A6A44AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224888591.000002A6A3165000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: main/nimbus-desktop-experimentshttps://www.amazon.co.uk/https://www.facebook.com/1tog0cdkasggly29o8xqc6p37devtools.jsonview.enablednimbus-desktop-experiments^application\/(?:.+\+)?json$https://www.wikipedia.org/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2290123436.000002A6AED95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362054808.000002A6AED95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372100516.000002A6A39E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2355140710.00003BE858404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2389612252.000002A6A33C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2360091983.000002A6AB7D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382281042.000002A6AB7D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2373037383.000002A6A3934000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49898 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a7ef4f39-963a-48e0-91c6-e6aad4fd60e4.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a7ef4f39-963a-48e0-91c6-e6aad4fd60e4.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre