Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1541908
MD5:	d18d5c5315a7b34b6c746fdbd100fd57
SHA1:	b2b3b1b064068d54d5ce15d3563eda5430a2c9d4
SHA256:	5c93dabf88c48ddff4ea4b246c182e649ef200ce2d342e8ecd9c4d1c2be172a8
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 4876 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D18D5C5315A7B34B6C746FDBD100FD57)

taskkill.exe (PID: 5088 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1836 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 776 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1912 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7064 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 616 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6500 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6484 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3560 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f5b33e7-d113-4847-8deb-63ab7a99d8dc} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffa3f6d710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7176 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -parentBuildID 20230927232528 -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dee93147-3765-4cc2-bc3d-54383d42b79d} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffb640b910 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7728 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3568 -prefMapHandle 4724 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3c4fb31-33a7-4628-840c-3041c3ce5eed} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffb4fc2510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 4876	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00B7EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B7EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B7ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B7ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00B7EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B6AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00B6AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B99576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B99576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_30f6e5b1-0
Source: file.exe, 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d386b563-6
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a80b336c-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_de2db676-a

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000023C25C66377 NtQuerySystemInformation,		18_2_0000023C25C66377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000023C25C82AF2 NtQuerySystemInformation,		18_2_0000023C25C82AF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B6D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00B6D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B61201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B61201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B6E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B6E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B08060	0_2_00B08060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B72046	0_2_00B72046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B68298	0_2_00B68298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3E4FF	0_2_00B3E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3676B	0_2_00B3676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94873	0_2_00B94873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2CAA0	0_2_00B2CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B0CAF0	0_2_00B0CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1CC39	0_2_00B1CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B36DD9	0_2_00B36DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B091C0	0_2_00B091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1B119	0_2_00B1B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B21394	0_2_00B21394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2781B	0_2_00B2781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B07920	0_2_00B07920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1997D	0_2_00B1997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B27A4A	0_2_00B27A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B27CA7	0_2_00B27CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B39EEE	0_2_00B39EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8BE44	0_2_00B8BE44
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000023C25C66377	18_2_0000023C25C66377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000023C25C82AF2	18_2_0000023C25C82AF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000023C25C8321C	18_2_0000023C25C8321C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000023C25C82B32	18_2_0000023C25C82B32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B20A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B1F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B09CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@71/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B737B5 GetLastError,FormatMessageW,

0_2_00B737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B610BF AdjustTokenPrivileges,CloseHandle,		0_2_00B610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00B616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B6D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B6D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B7648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00B7648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2346230509.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2417429691.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2426465204.000001FFB19F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2346230509.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2417429691.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2346230509.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2417429691.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2346230509.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2417429691.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2346230509.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2417429691.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2346230509.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2417429691.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2346230509.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2417429691.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2346230509.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2417429691.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2346230509.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2417429691.000001FFC005B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f5b33e7-d113-4847-8deb-63ab7a99d8dc} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffa3f6d710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -parentBuildID 20230927232528 -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dee93147-3765-4cc2-bc3d-54383d42b79d} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffb640b910 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3568 -prefMapHandle 4724 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3c4fb31-33a7-4628-840c-3041c3ce5eed} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffb4fc2510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f5b33e7-d113-4847-8deb-63ab7a99d8dc} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffa3f6d710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -parentBuildID 20230927232528 -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dee93147-3765-4cc2-bc3d-54383d42b79d} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffb640b910 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3568 -prefMapHandle 4724 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3c4fb31-33a7-4628-840c-3041c3ce5eed} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffb4fc2510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000E.00000003.2423724126.000001FFB55B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2415597973.000001FFB55B3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000E.00000003.2401216832.000001FFB68DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.2401216832.000001FFB68DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000E.00000003.2437192003.000001FFB69AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000E.00000003.2425873311.000001FFB4796000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2422238829.000001FFB6074000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdburlbar-eme-notification-anchor source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 0000000E.00000003.2415263881.000001FFB55CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423494193.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404270693.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000E.00000003.2401216832.000001FFB68DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000E.00000003.2437192003.000001FFB69AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb0 source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000E.00000003.2415263881.000001FFB55CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423494193.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404270693.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000E.00000003.2401216832.000001FFB68DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.2425997452.000001FFB4782000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000E.00000003.2415263881.000001FFB55CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423494193.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404270693.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423724126.000001FFB55B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2415597973.000001FFB55B3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000E.00000003.2415263881.000001FFB55CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423494193.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404270693.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000E.00000003.2437192003.000001FFB69AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000E.00000003.2401216832.000001FFB68DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000E.00000003.2437192003.000001FFB69AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000E.00000003.2437192003.000001FFB69AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000E.00000003.2401216832.000001FFB68DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000E.00000003.2401216832.000001FFB68DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2414465724.000001FFB57D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2402838866.000001FFB57D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423046556.000001FFB57D9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.2429517468.000001FFB04AB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 0000000E.00000003.2415263881.000001FFB55CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423494193.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404270693.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000E.00000003.2401216832.000001FFB68DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000E.00000003.2415263881.000001FFB55CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423494193.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404270693.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000E.00000003.2401855938.000001FFB64BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2413709500.000001FFB64BC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: winmm.pdb source: firefox.exe, 0000000E.00000003.2414465724.000001FFB57D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2402838866.000001FFB57D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423046556.000001FFB57D9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000E.00000003.2422174887.000001FFB65AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2401599774.000001FFB65AE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.2429517468.000001FFB04AB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 0000000E.00000003.2415263881.000001FFB55CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423494193.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404270693.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: psapi.pdb source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: firefox.exe, 0000000E.00000003.2411909363.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423311469.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403181491.000001FFB576D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000E.00000003.2423724126.000001FFB55B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2415597973.000001FFB55B3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000E.00000003.2401270243.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419818812.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 0000000E.00000003.2415263881.000001FFB55CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423494193.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404270693.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000E.00000003.2401216832.000001FFB68DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2437192003.000001FFB69AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000E.00000003.2415263881.000001FFB55CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423494193.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404270693.000001FFB55D4000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B042DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B20A76 push ecx; ret

0_2_00B20A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B1F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B91C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B91C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97178

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_0000023C25C66377 rdtsc

18_2_0000023C25C66377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B6DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3C2A2 FindFirstFileExW,	0_2_00B3C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B768EE FindFirstFileW,FindClose,	0_2_00B768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00B7698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B6D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B6D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B79642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B79642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B79B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00B79B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B75C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00B75C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B042DE

Source: firefox.exe, 00000010.00000002.3401039231.00000143860AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:
Source: firefox.exe, 00000012.00000002.3400197420.0000023C258AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 00000013.00000002.3401118030.0000019B590CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@!PY
Source: firefox.exe, 00000010.00000002.3401039231.00000143860AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3407980482.0000023C26110000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3407557379.0000019B59500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3408468966.0000014386840000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: firefox.exe, 00000010.00000002.3407399843.0000014386415000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3408468966.0000014386840000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3407980482.0000023C26110000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_0000023C25C66377 rdtsc

18_2_0000023C25C66377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B7EAA2 BlockInput,

0_2_00B7EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B32622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B24CE8 mov eax, dword ptr fs:[00000030h]

0_2_00B24CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B60B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00B60B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B32622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B2083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B209D5 SetUnhandledExceptionFilter,	0_2_00B209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B20C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B20C21

Source: C:\Users\user\Desktop\file.exe

0_2_00B61201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B42BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B42BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B6B226 SendInput,keybd_event,

0_2_00B6B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00B822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00B60B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B61663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B61663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2389462966.000001FFB3BC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B20698 cpuid

0_2_00B20698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B78195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00B78195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B5D27A GetUserNameW,

0_2_00B5D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B3B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00B3B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4876, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4876, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00B81204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00B81806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.193	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.193.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	216.58.212.142	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
dualstack.reddit.map.fastly.net	151.101.1.140	true	false	unknown
youtube-ui.l.google.com	142.250.185.238	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2234740706.000001FFB7D51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2397063724.000001FFB7D51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2408568920.000001FFB7D51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2354589835.000001FFB7D51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2422238829.000001FFB6074000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3401454796.0000023C25BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3402948060.0000019B594C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2360873683.000001FFB6651000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2426105927.000001FFB3D93000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3402412082.0000014386272000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3401454796.0000023C25B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3402948060.0000019B5948F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2383106329.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349829626.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2355141676.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2397063724.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419024203.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2401270243.000001FFB68BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2426465204.000001FFB19F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2196340348.000001FFB3D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203077268.000001FFB3F0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203544264.000001FFB3F31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203950401.000001FFB3F52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2378280962.000001FFB57FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2424496786.000001FFB4BB7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2371880878.000001FFBFF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2430726921.000001FFBFFC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346576082.000001FFBFF94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2383106329.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349829626.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2422238829.000001FFB6036000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2349829626.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310901838.000001FFB5816000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331173494.000001FFB5816000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196340348.000001FFB3D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203077268.000001FFB3F0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203544264.000001FFB3F31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203950401.000001FFB3F52000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2355141676.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2397063724.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234740706.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419024203.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2196340348.000001FFB3D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203077268.000001FFB3F0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203544264.000001FFB3F31000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2408997429.000001FFB7AE6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2383106329.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349829626.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=https://ac	firefox.exe, 00000013.00000002.3402222005.0000019B59390000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2430726921.000001FFBFF78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing	firefox.exe, 0000000E.00000003.2422238829.000001FFB6036000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2346576082.000001FFBFF94000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2347457288.000001FFBC856000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2383106329.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349829626.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2346576082.000001FFBFF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3401454796.0000023C25B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3402948060.0000019B5940C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2260006966.000001FFBE1BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261943510.000001FFBE1D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2355141676.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2397063724.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419024203.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2371880878.000001FFBFF4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346576082.000001FFBFF4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2430726921.000001FFBFF78000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2418763614.000001FFBC647000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2422238829.000001FFB6074000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3401454796.0000023C25BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3402948060.0000019B594C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2426105927.000001FFB3D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2260006966.000001FFBE1BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2391450495.000001FFB58EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381014661.000001FFB58E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2346576082.000001FFBFF94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2424496786.000001FFB4BB7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	firefox.exe, 0000000E.00000003.2423724126.000001FFB55B3000.00000004.00000800.00020000.00000000.sdmp, recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2423724126.000001FFB5598000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2422238829.000001FFB6036000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2401270243.000001FFB68BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3401454796.0000023C25B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3402948060.0000019B59413000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2355141676.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2397063724.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419024203.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000013.00000002.3402948060.0000019B5948F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2410321519.000001FFB7621000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2421898585.000001FFB65D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256202538.000001FFB52F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210621798.000001FFB52FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372778006.000001FFB588B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2391997883.000001FFB52F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2407704980.000001FFB7E79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210621798.000001FFB52F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249302323.000001FFB5867000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251842046.000001FFB58F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2401855938.000001FFB648B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2340573555.000001FFB52C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2356350198.000001FFB7627000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2247568089.000001FFB54A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2356080009.000001FFB764E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2421898585.000001FFB65B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209677703.000001FFB24DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375335573.000001FFB76EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253265257.000001FFB59EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372778006.000001FFB5888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2392245250.000001FFB44BA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2236154615.000001FFB67B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419998402.000001FFB67B6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2353801080.000001FFB7E79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2353801080.000001FFB7E79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2383106329.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349829626.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2383029760.000001FFBC7F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349545996.000001FFBC7F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2383106329.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349829626.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2422238829.000001FFB6036000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2349545996.000001FFBC7C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2376543328.000001FFB69AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2359100526.000001FFB69AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2437192003.000001FFB69AF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2235849038.000001FFB7525000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2435938153.000001FFB7530000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2260006966.000001FFBE1BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261943510.000001FFBE1D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2371880878.000001FFBFF4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346576082.000001FFBFF4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2430726921.000001FFBFF78000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2418585343.000001FFBC67B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2355141676.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2397063724.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419024203.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2385259043.000001FFB6A31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2203544264.000001FFB3F31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000E.00000003.2349545996.000001FFBC7C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2425873311.000001FFB4796000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310901838.000001FFB5816000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331173494.000001FFB5816000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2196340348.000001FFB3D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203077268.000001FFB3F0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203544264.000001FFB3F31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203950401.000001FFB3F52000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000E.00000003.2383106329.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349829626.000001FFBC71E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3406575907.0000014386320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3400887893.0000023C259C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3401890622.0000019B59300000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000E.00000003.2346576082.000001FFBFF94000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000E.00000003.2355141676.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2397063724.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2419024203.000001FFB7D49000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000E.00000003.2260006966.000001FFBE1BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261943510.000001FFBE1D2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	firefox.exe, 00000010.00000002.3402412082.00000143862C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3401454796.0000023C25BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3407823746.0000019B59603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture	firefox.exe, 0000000E.00000003.2422238829.000001FFB6036000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000E.00000003.2422238829.000001FFB6036000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000E.00000003.2232588505.000001FFB7FA2000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.212.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541908
Start date and time:	2024-10-25 10:00:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@71/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 39 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.13.186.250, 44.231.229.39, 34.208.54.237, 142.250.185.170, 142.250.186.106, 142.250.184.206, 2.22.61.59, 2.22.61.56, 142.250.185.110
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
04:01:12	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://temp.farenheit.net/XL1VkZE1FVGZjL0VwUUt5cWc4dkk1SWpqVFFTMUtQZ0krRFhobktOS05RSWpVMTZIYzk3b3hOUTBoZ2VYdnAzM21wZnYwMVBmdGN0MW12M09qVmMzbnNVeVpkeXBxeHVGd2V4eDRvVlZ5dERsakpjbGV3ZVZxRVhlZ0F6Q3hwQlptYUUyRFhHRzY3YkRXQ3hjWmhBZDBpMkNpakJDSnhzUG9xa2k2ZkdacVpDZVhFVFppeUJLcHJIaC0teVVJeERBTFd0K3k3b01rYS0tRk9zSWNIVEd0blVHZVlhTlFnVUxldz09?cid=2242420613	Get hash	malicious	Unknown	Browse	199.232.196.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	Import_Declainvoice.htm	Get hash	malicious	Unknown	Browse	199.232.196.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
ATGS-MMD-ASUS	K3Kvd8JYGV.elf	Get hash	malicious	Unknown	Browse	32.93.16.167
	HUyUkUjJ4y.elf	Get hash	malicious	Unknown	Browse	57.163.111.251
	GSVzm51Pg5.elf	Get hash	malicious	Unknown	Browse	57.203.208.147
	czHBnd67gp.elf	Get hash	malicious	Unknown	Browse	51.240.38.121
	3HOhJoCrj5.elf	Get hash	malicious	Unknown	Browse	57.222.44.132
	8DKuAcmAMT.elf	Get hash	malicious	Unknown	Browse	48.125.99.197
	CLNGs0rZD4.exe	Get hash	malicious	Sliver	Browse	34.22.231.73
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	yakuza.i686.elf	Get hash	malicious	Unknown	Browse	57.208.205.52

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_54e4d048-228c-4fbe-bc29-76ec44013f8d.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.1777938347427925
Encrypted:	false
SSDEEP:	192:xBMXpFecbhbVbTbfbRbObtbyEl7nduPr+JA6unSrDtTkdxSofKk:xi+cNhnzFSJ9uPrd1nSrDhkdx5
MD5:	CD10BCF7B4444007A19D6DCF1A9A95FC
SHA1:	5AF346A5852A22BFA1D97350CD2E8496C813777C
SHA-256:	9A18E189E1E4627E5800DB433294034BB431EAACF36109B27434F1E636554DF0
SHA-512:	4D6B38E7373529C30CB08A6B1ABB1F89C4FE2E2B6CB9EE277A690802AD320080F4D4476AC8C422770618C43A71215130697119399AC59E46AFBD7A63C317E789
Malicious:	false
Preview:	{"type":"uninstall","id":"54e4d048-228c-4fbe-bc29-76ec44013f8d","creationDate":"2024-10-25T09:15:23.566Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_54e4d048-228c-4fbe-bc29-76ec44013f8d.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.1777938347427925
Encrypted:	false
SSDEEP:	192:xBMXpFecbhbVbTbfbRbObtbyEl7nduPr+JA6unSrDtTkdxSofKk:xi+cNhnzFSJ9uPrd1nSrDhkdx5
MD5:	CD10BCF7B4444007A19D6DCF1A9A95FC
SHA1:	5AF346A5852A22BFA1D97350CD2E8496C813777C
SHA-256:	9A18E189E1E4627E5800DB433294034BB431EAACF36109B27434F1E636554DF0
SHA-512:	4D6B38E7373529C30CB08A6B1ABB1F89C4FE2E2B6CB9EE277A690802AD320080F4D4476AC8C422770618C43A71215130697119399AC59E46AFBD7A63C317E789
Malicious:	false
Preview:	{"type":"uninstall","id":"54e4d048-228c-4fbe-bc29-76ec44013f8d","creationDate":"2024-10-25T09:15:23.566Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.930534506780188
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLCG/a8P:gXiNFS+OcUGOdwiOdwBjkYLCKa8P
MD5:	6D42D3B2EB0FC78AD28C9A7FCB6D3782
SHA1:	3DC0752EA32D9899D433D4CBC55D1FCB5F494E51
SHA-256:	30F5B303C046B5949840210668FAF775E46C758DF21143F30FF617A552C2B8E8
SHA-512:	D2A691CA68FE13E75396200CDB20E35DA649757079B3FC4B5D680523B0983C2730C750CC87C9B04148CA7E690B4AE1C6535CD2272FBC98DD0594E9DFD4A98E98
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.930534506780188
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLCG/a8P:gXiNFS+OcUGOdwiOdwBjkYLCKa8P
MD5:	6D42D3B2EB0FC78AD28C9A7FCB6D3782
SHA1:	3DC0752EA32D9899D433D4CBC55D1FCB5F494E51
SHA-256:	30F5B303C046B5949840210668FAF775E46C758DF21143F30FF617A552C2B8E8
SHA-512:	D2A691CA68FE13E75396200CDB20E35DA649757079B3FC4B5D680523B0983C2730C750CC87C9B04148CA7E690B4AE1C6535CD2272FBC98DD0594E9DFD4A98E98
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733259453775852
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	1A334D8771AE01944C7465C55E4FBAB7
SHA1:	B36B7A20252904B46C526C7AA84C30056E7F2A0E
SHA-256:	E8741A4BFF5354498372EB742F08CD24D7CA630033BE3411BCA818C17EC93BC2
SHA-512:	3A65B60E3966F51EBB0B8D5FFB46D49C87DD60C5654DC86AD27AD52C173DF73EED846067F77F1ACB1909247420E509E9C6FB384B00ABC485D455549399DF3986
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035325086693798996
Encrypted:	false
SSDEEP:	3:GtlstFHmj5aTRBlstFHmj5aTRiJ89//alEl:GtWtsjEPWtsjE8J89XuM
MD5:	E37DC5ABF5C6A72B559DDEE92E4C9859
SHA1:	3DDCD108167545CD4DD84C050D527EA5335CB699
SHA-256:	9D4BD31DBDD0943504D2FFC603B7CAEEF988A1064E8E019939578C5C019E0247
SHA-512:	C63CE4090ACBB3E48A6054A52D64885E1FC8C627080F0EEBBB3EFA5A26F7355A2066F5EF1382CF56DE392319AC2E8FBA4CB562E6CA241AE02D6DE91DA8BF0B69
Malicious:	false
Preview:	..-........................H....Y.D.......Ch;+S..-........................H....Y.D.......Ch;+S........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03468475126558448
Encrypted:	false
SSDEEP:	3:Ol1FjnTt437lllIVZNYT9/gKSrV//mwl8XW3R2:K7jnuxlGsT9oJpuw93w
MD5:	6C9EB6BEA8DEC7E9E404CBBD13FEA4F9
SHA1:	1CAA8E3EED209AF4BE48F82747F78EDBF49FD0EB
SHA-256:	F1F16E32E5AD87EB0485BBE9040A855C050060DB9932B601D1208011D193DEB3
SHA-512:	F791816ADAB54A3C2B09EA04FCBB834F7B7139A3AB441AB1F37A35F4D274002425A3F2D8239BD8DD9FC31571F5C3559794D8C2805DDBBCB181483CB800B76E5F
Malicious:	false
Preview:	7....-...........Y.D.....H]..~6..........Y.D...........H................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	modified
Size (bytes):	14081
Entropy (8bit):	5.467288176699197
Encrypted:	false
SSDEEP:	192:enTFTRRUYbBp6GLZNMGaX26qU4/Rzy+/3/7tl5RYiNBw8dHSl:EKezFNMRENyC7dw40
MD5:	0F83983F0E9F9E02A45C7CA7DFFCEAAD
SHA1:	907AF2E109EBFE90A27B66E18AA8F2D483CFC61B
SHA-256:	2F42E8AD1A67A0C4B773B3CBC852E68EC21102953F0D5B57705D01968A9C7EEB
SHA-512:	557C1889EAAD4C6FDCC362D91A75E0438AE9CE309F8E3E33C0F6F49A28D497E5AC3395ED0737823B5ADB421FE18EFCB853A2ECFFD1EC81C5C3CE66894EACE393
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729847693);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729847693);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729847693);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172984

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.467288176699197
Encrypted:	false
SSDEEP:	192:enTFTRRUYbBp6GLZNMGaX26qU4/Rzy+/3/7tl5RYiNBw8dHSl:EKezFNMRENyC7dw40
MD5:	0F83983F0E9F9E02A45C7CA7DFFCEAAD
SHA1:	907AF2E109EBFE90A27B66E18AA8F2D483CFC61B
SHA-256:	2F42E8AD1A67A0C4B773B3CBC852E68EC21102953F0D5B57705D01968A9C7EEB
SHA-512:	557C1889EAAD4C6FDCC362D91A75E0438AE9CE309F8E3E33C0F6F49A28D497E5AC3395ED0737823B5ADB421FE18EFCB853A2ECFFD1EC81C5C3CE66894EACE393
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729847693);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729847693);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729847693);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172984

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.337496771620674
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSfzLXnIggd/pnxQwRlszT5sKL13eHVvwKXTtamhujJmyOOxmOmaoRa:GUpOxKIHnR6h3eNwCTt4JNKRhM
MD5:	CAD3E1C27BF98772117281B91DEF2EA5
SHA1:	273BB80DE8594C07C642694A6FC6440031B164FE
SHA-256:	CBC55B6616D7A501DC4E72C389876CC6274735290FF4602B399127C32CAAAAEC
SHA-512:	04F1FBDB46ED0F33F079BBF654AE5E04977515B1DCBC767BEA30D5A95DFC5093D2612359D89C1B806619932C9D9A9C2B1BB3470FC4500168454EA4E5840F5DA2
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6fb36db6-1805-4c6e-ac11-7b213ad92623}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729847701395,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`662647...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry...6...6,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.337496771620674
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSfzLXnIggd/pnxQwRlszT5sKL13eHVvwKXTtamhujJmyOOxmOmaoRa:GUpOxKIHnR6h3eNwCTt4JNKRhM
MD5:	CAD3E1C27BF98772117281B91DEF2EA5
SHA1:	273BB80DE8594C07C642694A6FC6440031B164FE
SHA-256:	CBC55B6616D7A501DC4E72C389876CC6274735290FF4602B399127C32CAAAAEC
SHA-512:	04F1FBDB46ED0F33F079BBF654AE5E04977515B1DCBC767BEA30D5A95DFC5093D2612359D89C1B806619932C9D9A9C2B1BB3470FC4500168454EA4E5840F5DA2
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6fb36db6-1805-4c6e-ac11-7b213ad92623}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729847701395,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`662647...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry...6...6,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.337496771620674
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSfzLXnIggd/pnxQwRlszT5sKL13eHVvwKXTtamhujJmyOOxmOmaoRa:GUpOxKIHnR6h3eNwCTt4JNKRhM
MD5:	CAD3E1C27BF98772117281B91DEF2EA5
SHA1:	273BB80DE8594C07C642694A6FC6440031B164FE
SHA-256:	CBC55B6616D7A501DC4E72C389876CC6274735290FF4602B399127C32CAAAAEC
SHA-512:	04F1FBDB46ED0F33F079BBF654AE5E04977515B1DCBC767BEA30D5A95DFC5093D2612359D89C1B806619932C9D9A9C2B1BB3470FC4500168454EA4E5840F5DA2
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6fb36db6-1805-4c6e-ac11-7b213ad92623}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729847701395,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`662647...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry...6...6,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009307531515616
Encrypted:	false
SSDEEP:	48:YrSAYPHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJFde:ycPCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	F8F6B45179CF4E3D08C066F97F86EE30
SHA1:	56272944015E796BE5410CFDB39FB26036B3F855
SHA-256:	837D6A7A1116DBA92CFDE3E800183ADAA05838E57273DA1938D2AA48054B468F
SHA-512:	A7FE962A0E89900915BA83FA8DEDD2F2A26D77F12B59C872ABE024D02234407366E18B9C4DA3C158AD54B762E1946AC341C0A659778BE53049BC9152F77EA98E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T09:14:42.187Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009307531515616
Encrypted:	false
SSDEEP:	48:YrSAYPHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJFde:ycPCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	F8F6B45179CF4E3D08C066F97F86EE30
SHA1:	56272944015E796BE5410CFDB39FB26036B3F855
SHA-256:	837D6A7A1116DBA92CFDE3E800183ADAA05838E57273DA1938D2AA48054B468F
SHA-512:	A7FE962A0E89900915BA83FA8DEDD2F2A26D77F12B59C872ABE024D02234407366E18B9C4DA3C158AD54B762E1946AC341C0A659778BE53049BC9152F77EA98E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T09:14:42.187Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584696936661296
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	d18d5c5315a7b34b6c746fdbd100fd57
SHA1:	b2b3b1b064068d54d5ce15d3563eda5430a2c9d4
SHA256:	5c93dabf88c48ddff4ea4b246c182e649ef200ce2d342e8ecd9c4d1c2be172a8
SHA512:	2ee78bcb86d9a74568c056a7311767c50c23be678f1a16621d3aa8e3ca1a675571e4b8e3eb5fb43eab7d88f547740e2cd74e7fbfe19ff4eb818e9eb865e57924
SSDEEP:	12288:9qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tx:9qDEvCTbMWu7rQYlBQcBiT6rprG8abx
TLSH:	00159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671B4CC2 [Fri Oct 25 07:46:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FDB30B77743h
jmp 00007FDB30B7704Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FDB30B7722Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FDB30B771FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FDB30B79DEDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FDB30B79E38h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FDB30B79E21h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	75459dfcdf3100b97956e1a7e46305d3	False	0.3157387262658228	data	5.373930522050642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 10:01:11.247349977 CEST	49734	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:11.247390985 CEST	443	49734	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:11.247886896 CEST	49735	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:11.247929096 CEST	443	49735	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:11.248011112 CEST	49736	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:11.248070002 CEST	443	49736	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:11.248514891 CEST	49734	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:11.248640060 CEST	49736	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:11.248672962 CEST	49735	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:11.253730059 CEST	49734	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:11.253747940 CEST	443	49734	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:11.255136013 CEST	49736	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:11.255173922 CEST	443	49736	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:11.256380081 CEST	49735	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:11.256395102 CEST	443	49735	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:11.388763905 CEST	49737	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:11.388804913 CEST	443	49737	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:11.389183044 CEST	49737	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:11.389337063 CEST	49737	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:11.389357090 CEST	443	49737	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:11.802731991 CEST	49738	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:11.808146954 CEST	80	49738	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:11.808547974 CEST	49738	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:11.808893919 CEST	49738	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:11.811463118 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:11.811553955 CEST	443	49739	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:11.811863899 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:11.813235044 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:11.813314915 CEST	443	49739	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:11.814234018 CEST	80	49738	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:11.826988935 CEST	49740	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:11.827028036 CEST	443	49740	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:11.827779055 CEST	49740	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:11.829157114 CEST	49740	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:11.829169989 CEST	443	49740	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:11.870228052 CEST	443	49734	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:11.870316982 CEST	49734	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:11.878711939 CEST	49734	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:11.878739119 CEST	443	49734	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:11.878887892 CEST	49734	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:11.878988981 CEST	443	49734	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:11.879283905 CEST	49741	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:11.879302025 CEST	49734	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:11.879323959 CEST	443	49741	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:11.881122112 CEST	49741	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:11.882761002 CEST	49741	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:11.882778883 CEST	443	49741	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:12.002881050 CEST	443	49737	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:12.003007889 CEST	49737	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:12.006664038 CEST	49737	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:12.006675959 CEST	443	49737	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:12.007074118 CEST	443	49737	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:12.009624958 CEST	49737	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:12.009721041 CEST	49737	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:12.009816885 CEST	443	49737	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:12.009860039 CEST	49737	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:12.112010002 CEST	443	49736	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.112168074 CEST	49736	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.112716913 CEST	443	49736	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.113080978 CEST	49736	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.113145113 CEST	443	49736	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.116906881 CEST	49736	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.116908073 CEST	49736	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.116998911 CEST	443	49736	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.117151022 CEST	443	49736	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.117805958 CEST	49736	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.119079113 CEST	443	49735	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.119153976 CEST	49735	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.120088100 CEST	443	49735	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.120265961 CEST	49735	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.123692036 CEST	49735	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.123699903 CEST	443	49735	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.123853922 CEST	49735	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.123970032 CEST	443	49735	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.124043941 CEST	49735	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.124164104 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.124224901 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.124484062 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.125632048 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:12.125679970 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:12.167227030 CEST	49748	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:12.167253017 CEST	443	49748	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:12.168185949 CEST	49748	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:12.168359995 CEST	49748	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:12.168375969 CEST	443	49748	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:12.405972004 CEST	80	49738	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:12.407196999 CEST	49738	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:12.412990093 CEST	80	49738	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:12.422360897 CEST	49738	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:12.427184105 CEST	443	49739	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:12.431200981 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:12.435626984 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:12.435671091 CEST	443	49739	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:12.435760021 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:12.435906887 CEST	443	49739	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:12.436186075 CEST	49750	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:12.436270952 CEST	443	49750	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:12.436274052 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:12.437798023 CEST	49750	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:12.439352036 CEST	49750	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:12.439429045 CEST	443	49750	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:13.500225067 CEST	443	49741	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:13.501792908 CEST	49741	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:13.502710104 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:13.502912045 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:13.503735065 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:13.504337072 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:13.506237984 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:13.508838892 CEST	443	49748	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:13.509537935 CEST	49748	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:13.512448072 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:13.514033079 CEST	49748	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:13.514050007 CEST	443	49748	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:13.514050007 CEST	443	49740	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:13.514098883 CEST	49741	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:13.514122963 CEST	443	49741	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:13.514311075 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:13.514326096 CEST	443	49741	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:13.514451981 CEST	443	49748	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:13.514625072 CEST	49740	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:13.514643908 CEST	49741	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:13.514787912 CEST	49741	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:13.514803886 CEST	443	49741	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:13.517719030 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:13.519474983 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:13.519520044 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:13.519571066 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:13.519727945 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 25, 2024 10:01:13.521181107 CEST	49748	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:13.521269083 CEST	49748	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:13.521624088 CEST	443	49748	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:13.521625996 CEST	49754	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:13.521667957 CEST	443	49754	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:13.523179054 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:13.523291111 CEST	49740	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:13.523302078 CEST	443	49740	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:13.523375034 CEST	49740	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:13.523647070 CEST	443	49740	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:13.525124073 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 25, 2024 10:01:13.525137901 CEST	49748	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:13.525187016 CEST	49740	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:13.525198936 CEST	49754	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:13.525480032 CEST	49754	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:13.525522947 CEST	443	49754	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:13.542733908 CEST	49755	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:13.542759895 CEST	443	49755	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:13.545922995 CEST	49755	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:13.550354958 CEST	49755	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:13.550365925 CEST	443	49755	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:13.550671101 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:13.556586027 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:13.556775093 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:13.556915045 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:13.562303066 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:14.075099945 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:14.075149059 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:14.082117081 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:14.083606005 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:14.083622932 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:14.309982061 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:14.310209036 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:14.314476967 CEST	443	49754	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:14.314565897 CEST	49754	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:14.316976070 CEST	443	49755	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.317764997 CEST	49754	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:14.317794085 CEST	443	49754	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:14.317946911 CEST	49755	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.318048954 CEST	443	49754	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:14.320951939 CEST	443	49750	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.321683884 CEST	49750	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.325568914 CEST	49754	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:14.325642109 CEST	49754	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:14.325726032 CEST	443	49754	34.160.144.191	192.168.2.6
Oct 25, 2024 10:01:14.325907946 CEST	49755	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.325920105 CEST	443	49755	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.326037884 CEST	49754	443	192.168.2.6	34.160.144.191
Oct 25, 2024 10:01:14.326113939 CEST	443	49755	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.326145887 CEST	49755	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.326153994 CEST	443	49755	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.326803923 CEST	49763	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.326812029 CEST	443	49763	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.326988935 CEST	49763	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.328591108 CEST	49763	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.328600883 CEST	443	49763	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.328675032 CEST	49750	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.328691006 CEST	443	49750	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.328731060 CEST	49750	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.328959942 CEST	443	49750	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.330178976 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:14.336599112 CEST	49750	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.336623907 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:14.358124018 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:14.358668089 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:14.359030962 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:14.535335064 CEST	443	49755	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.542345047 CEST	49755	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.928263903 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:14.928282976 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:14.928369999 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:14.932652950 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:14.932662010 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:14.932873011 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:14.932912111 CEST	443	49761	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:14.932998896 CEST	49761	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:14.935621023 CEST	443	49763	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.935702085 CEST	49763	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.939601898 CEST	49763	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.939610958 CEST	443	49763	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.939690113 CEST	49763	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:14.939776897 CEST	443	49763	34.117.188.166	192.168.2.6
Oct 25, 2024 10:01:14.939851999 CEST	49763	443	192.168.2.6	34.117.188.166
Oct 25, 2024 10:01:17.879729986 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:17.880700111 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:17.885176897 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:17.885977030 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:17.889100075 CEST	49784	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:17.889172077 CEST	443	49784	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:17.889668941 CEST	49784	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:17.891144991 CEST	49784	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:17.891184092 CEST	443	49784	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:17.891983032 CEST	49785	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:17.891999960 CEST	443	49785	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:17.892272949 CEST	49785	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:17.892440081 CEST	49785	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:17.892452002 CEST	443	49785	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:18.005494118 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:18.006117105 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:18.053313017 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:18.053342104 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:18.090617895 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:18.095985889 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:18.107238054 CEST	49787	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:18.107302904 CEST	443	49787	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:18.107862949 CEST	49787	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:18.109266996 CEST	49787	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:18.109299898 CEST	443	49787	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:18.217344046 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:18.269524097 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:18.498770952 CEST	443	49785	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:18.498852015 CEST	49785	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:18.501574039 CEST	49785	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:18.501584053 CEST	443	49785	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:18.501806974 CEST	443	49785	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:18.504164934 CEST	49785	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:18.504250050 CEST	49785	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:18.504306078 CEST	443	49785	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:18.504652023 CEST	49785	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:18.511920929 CEST	443	49784	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:18.512290955 CEST	49784	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:18.515633106 CEST	49784	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:18.515661955 CEST	443	49784	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:18.515714884 CEST	49784	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:18.515877008 CEST	443	49784	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:18.515942097 CEST	49784	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:18.728918076 CEST	443	49787	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:18.729048967 CEST	49787	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:18.733608007 CEST	49787	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:18.733608007 CEST	49787	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:18.733668089 CEST	443	49787	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:18.733886003 CEST	443	49787	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:18.739893913 CEST	49787	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:22.510421038 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:22.515697002 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:22.636310101 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:22.684355974 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:24.003415108 CEST	56840	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.003485918 CEST	443	56840	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:24.003887892 CEST	56840	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.005374908 CEST	56840	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.005408049 CEST	443	56840	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:24.473371983 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:24.479403973 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:24.593697071 CEST	56842	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.593750000 CEST	443	56842	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:24.593918085 CEST	56843	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.593955994 CEST	443	56843	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:24.594894886 CEST	56842	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.595078945 CEST	56842	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.595084906 CEST	56843	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.595109940 CEST	443	56842	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:24.595156908 CEST	56843	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.595171928 CEST	443	56843	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:24.600737095 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:24.622412920 CEST	443	56840	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:24.625075102 CEST	56840	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.633192062 CEST	56840	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.633219004 CEST	443	56840	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:24.633282900 CEST	56840	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.633424997 CEST	443	56840	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:24.633496046 CEST	56840	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:24.643376112 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:25.229526043 CEST	443	56843	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:25.229863882 CEST	56843	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:25.232495070 CEST	56843	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:25.232506037 CEST	443	56843	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:25.232817888 CEST	443	56843	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:25.235507965 CEST	56843	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:25.235682964 CEST	56843	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:25.235764027 CEST	443	56843	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:25.235832930 CEST	56843	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:25.248661041 CEST	443	56842	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:25.248738050 CEST	56842	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:25.251424074 CEST	56842	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:25.251445055 CEST	443	56842	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:25.251785994 CEST	443	56842	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:25.254432917 CEST	56842	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:25.254506111 CEST	56842	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:25.254630089 CEST	443	56842	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:25.254684925 CEST	56842	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:26.814941883 CEST	56857	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:26.814986944 CEST	443	56857	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:26.816282988 CEST	56857	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:26.817696095 CEST	56857	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:26.817712069 CEST	443	56857	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:26.865140915 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:26.870472908 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:26.876521111 CEST	56858	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:26.876550913 CEST	443	56858	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:26.876914024 CEST	56858	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:26.878458023 CEST	56858	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:26.878469944 CEST	443	56858	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:26.989707947 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:27.034784079 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:27.186005116 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:27.193233967 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:27.313182116 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:27.366863012 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:27.434171915 CEST	443	56857	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:27.434303999 CEST	56857	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:27.460891008 CEST	56857	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:27.460906982 CEST	443	56857	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:27.460973978 CEST	56857	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:27.461124897 CEST	443	56857	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:27.461234093 CEST	56857	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:27.494631052 CEST	443	56858	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:27.498537064 CEST	56858	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:27.503623009 CEST	56858	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:27.503634930 CEST	443	56858	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:27.503739119 CEST	56858	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:27.503830910 CEST	443	56858	34.120.208.123	192.168.2.6
Oct 25, 2024 10:01:27.511077881 CEST	56858	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:01:28.559016943 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:28.790282011 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:28.907838106 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:28.955935955 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:29.667187929 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:29.672696114 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:29.793898106 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:29.843112946 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:37.353112936 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:37.360855103 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:37.479563951 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:37.484299898 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:37.490417004 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:37.494651079 CEST	56918	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:37.494740963 CEST	443	56918	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:37.500317097 CEST	56918	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:37.500317097 CEST	56918	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:37.500448942 CEST	443	56918	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:37.512047052 CEST	56919	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:37.512130976 CEST	443	56919	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:37.512753963 CEST	56919	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:37.514172077 CEST	56919	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:37.514205933 CEST	443	56919	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:37.519439936 CEST	56921	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:37.519512892 CEST	443	56921	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:37.519725084 CEST	56921	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:37.519725084 CEST	56921	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:37.519814014 CEST	443	56921	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:37.528115988 CEST	56922	443	192.168.2.6	151.101.193.91
Oct 25, 2024 10:01:37.528157949 CEST	443	56922	151.101.193.91	192.168.2.6
Oct 25, 2024 10:01:37.528366089 CEST	56922	443	192.168.2.6	151.101.193.91
Oct 25, 2024 10:01:37.528474092 CEST	56922	443	192.168.2.6	151.101.193.91
Oct 25, 2024 10:01:37.528493881 CEST	443	56922	151.101.193.91	192.168.2.6
Oct 25, 2024 10:01:37.532557011 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:37.545753002 CEST	56923	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:37.545790911 CEST	443	56923	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:37.548248053 CEST	56923	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:37.573502064 CEST	56923	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:37.573524952 CEST	443	56923	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:37.590253115 CEST	56924	443	192.168.2.6	35.201.103.21
Oct 25, 2024 10:01:37.590287924 CEST	443	56924	35.201.103.21	192.168.2.6
Oct 25, 2024 10:01:37.595356941 CEST	56924	443	192.168.2.6	35.201.103.21
Oct 25, 2024 10:01:37.596796036 CEST	56924	443	192.168.2.6	35.201.103.21
Oct 25, 2024 10:01:37.596837044 CEST	443	56924	35.201.103.21	192.168.2.6
Oct 25, 2024 10:01:37.614458084 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:37.664176941 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:38.128417015 CEST	443	56922	151.101.193.91	192.168.2.6
Oct 25, 2024 10:01:38.128509998 CEST	56922	443	192.168.2.6	151.101.193.91
Oct 25, 2024 10:01:38.131906033 CEST	56922	443	192.168.2.6	151.101.193.91
Oct 25, 2024 10:01:38.131918907 CEST	443	56922	151.101.193.91	192.168.2.6
Oct 25, 2024 10:01:38.132225037 CEST	443	56922	151.101.193.91	192.168.2.6
Oct 25, 2024 10:01:38.134742975 CEST	56922	443	192.168.2.6	151.101.193.91
Oct 25, 2024 10:01:38.134840965 CEST	56922	443	192.168.2.6	151.101.193.91
Oct 25, 2024 10:01:38.134916067 CEST	443	56922	151.101.193.91	192.168.2.6
Oct 25, 2024 10:01:38.135054111 CEST	56922	443	192.168.2.6	151.101.193.91
Oct 25, 2024 10:01:38.136909962 CEST	443	56921	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:38.137031078 CEST	56921	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.139919996 CEST	56921	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.139949083 CEST	443	56921	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:38.140008926 CEST	443	56919	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:38.140206099 CEST	443	56921	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:38.140294075 CEST	443	56918	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.142580032 CEST	56919	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:38.142580032 CEST	56918	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.142647982 CEST	56921	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.142729998 CEST	56921	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.145620108 CEST	56918	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.145634890 CEST	443	56918	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.145904064 CEST	443	56918	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.150512934 CEST	56918	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.150512934 CEST	56918	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.150752068 CEST	443	56918	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.150753021 CEST	56919	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:38.150762081 CEST	443	56919	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:38.150799990 CEST	56919	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:38.151133060 CEST	443	56919	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:38.152329922 CEST	56919	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:38.152339935 CEST	56918	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.152960062 CEST	56927	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.153016090 CEST	443	56927	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.153537035 CEST	56927	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.153635025 CEST	56927	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.153642893 CEST	443	56927	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.155309916 CEST	56928	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.155416965 CEST	443	56928	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.155956984 CEST	56928	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.156056881 CEST	56928	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.156084061 CEST	443	56928	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.158303976 CEST	56930	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.158328056 CEST	443	56930	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.158643961 CEST	56930	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.158767939 CEST	56930	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.158793926 CEST	443	56930	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.160248041 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:38.166460037 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:38.186580896 CEST	443	56923	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:38.186662912 CEST	56923	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:38.191581011 CEST	56923	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:38.191586971 CEST	443	56923	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:38.191665888 CEST	56923	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:38.191842079 CEST	443	56923	35.190.72.216	192.168.2.6
Oct 25, 2024 10:01:38.192106009 CEST	56923	443	192.168.2.6	35.190.72.216
Oct 25, 2024 10:01:38.218377113 CEST	443	56924	35.201.103.21	192.168.2.6
Oct 25, 2024 10:01:38.218599081 CEST	56924	443	192.168.2.6	35.201.103.21
Oct 25, 2024 10:01:38.222564936 CEST	56924	443	192.168.2.6	35.201.103.21
Oct 25, 2024 10:01:38.222573042 CEST	443	56924	35.201.103.21	192.168.2.6
Oct 25, 2024 10:01:38.222650051 CEST	56924	443	192.168.2.6	35.201.103.21
Oct 25, 2024 10:01:38.222780943 CEST	443	56924	35.201.103.21	192.168.2.6
Oct 25, 2024 10:01:38.226164103 CEST	56924	443	192.168.2.6	35.201.103.21
Oct 25, 2024 10:01:38.233555079 CEST	56932	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.233584881 CEST	443	56932	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:38.233692884 CEST	56932	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.233824968 CEST	56932	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.233835936 CEST	443	56932	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:38.285960913 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:38.289781094 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:38.295520067 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:38.334882975 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:38.416538000 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:38.466448069 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:38.768742085 CEST	443	56930	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.769325018 CEST	56930	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.771255016 CEST	443	56928	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.771357059 CEST	56928	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.771553993 CEST	443	56927	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.771629095 CEST	56927	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.771673918 CEST	56930	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.771702051 CEST	443	56930	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.771959066 CEST	443	56930	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.774142027 CEST	56928	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.774153948 CEST	443	56928	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.774636030 CEST	443	56928	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.776161909 CEST	56927	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.776177883 CEST	443	56927	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.776472092 CEST	443	56927	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.779346943 CEST	56930	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.779405117 CEST	56930	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.779520035 CEST	443	56930	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.779670000 CEST	56928	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.779704094 CEST	56928	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.779879093 CEST	443	56928	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.780244112 CEST	56927	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.780298948 CEST	56927	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.780406952 CEST	443	56927	35.244.181.201	192.168.2.6
Oct 25, 2024 10:01:38.781469107 CEST	56930	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.781469107 CEST	56928	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.781474113 CEST	56927	443	192.168.2.6	35.244.181.201
Oct 25, 2024 10:01:38.785738945 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:38.791241884 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:38.844557047 CEST	443	56932	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:38.844748974 CEST	56932	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.847737074 CEST	56932	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.847764969 CEST	443	56932	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:38.848100901 CEST	443	56932	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:38.850667953 CEST	56932	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.850764990 CEST	56932	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.850873947 CEST	443	56932	34.149.100.209	192.168.2.6
Oct 25, 2024 10:01:38.851989985 CEST	56932	443	192.168.2.6	34.149.100.209
Oct 25, 2024 10:01:38.910682917 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:38.914606094 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:38.920249939 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:38.952253103 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:39.041852951 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:39.090416908 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:48.914907932 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:48.920587063 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:49.050668955 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:49.055999994 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:58.609343052 CEST	57044	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:58.609365940 CEST	443	57044	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:58.609570026 CEST	57044	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:58.611011028 CEST	57044	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:58.611027956 CEST	443	57044	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:58.924660921 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:58.930357933 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:59.062767982 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:59.068591118 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:59.237993956 CEST	443	57044	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:59.238074064 CEST	57044	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:59.243146896 CEST	57044	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:59.243165970 CEST	443	57044	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:59.243243933 CEST	57044	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:59.243343115 CEST	443	57044	34.107.243.93	192.168.2.6
Oct 25, 2024 10:01:59.243562937 CEST	57044	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:01:59.246124029 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:59.251616001 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:59.371629953 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:59.375125885 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:59.382088900 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:59.426179886 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:01:59.503859043 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:01:59.548120975 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:08.092883110 CEST	57046	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.092916965 CEST	443	57046	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.093153954 CEST	57047	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.093206882 CEST	443	57047	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.093388081 CEST	57048	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.093430042 CEST	443	57048	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.093511105 CEST	57049	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.093539953 CEST	443	57049	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.093604088 CEST	57046	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.093718052 CEST	57049	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.093734980 CEST	57047	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.093759060 CEST	57048	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.093766928 CEST	57046	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.093779087 CEST	443	57046	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.093945980 CEST	57047	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.093982935 CEST	443	57047	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.094085932 CEST	57048	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.094099998 CEST	443	57048	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.094158888 CEST	57049	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.094175100 CEST	443	57049	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.167310953 CEST	57050	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.167326927 CEST	443	57050	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.173296928 CEST	57051	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.173326015 CEST	443	57051	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.175338984 CEST	57050	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.175515890 CEST	57051	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.175656080 CEST	57050	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.175668001 CEST	443	57050	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.175775051 CEST	57051	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.175791979 CEST	443	57051	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.694719076 CEST	443	57047	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.695050001 CEST	57047	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.698645115 CEST	57047	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.698669910 CEST	443	57047	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.699004889 CEST	443	57047	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.702119112 CEST	57047	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.702250957 CEST	57047	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.702297926 CEST	443	57047	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.702383041 CEST	57047	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.702805042 CEST	57052	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.702837944 CEST	443	57052	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.702927113 CEST	57052	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.703087091 CEST	57052	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.703099012 CEST	443	57052	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.710593939 CEST	443	57046	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.714608908 CEST	57046	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.718748093 CEST	57046	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.718755960 CEST	443	57046	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.719079018 CEST	443	57046	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.723006964 CEST	57046	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.723084927 CEST	57046	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.723201036 CEST	443	57046	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.723479033 CEST	57053	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.723536015 CEST	443	57053	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.726042986 CEST	57046	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.726063013 CEST	57046	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.726092100 CEST	57053	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.726361036 CEST	57053	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.726397038 CEST	443	57053	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.734155893 CEST	443	57049	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.736290932 CEST	57049	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.738297939 CEST	443	57048	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.739162922 CEST	57049	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.739175081 CEST	443	57049	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.739589930 CEST	443	57049	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.739861012 CEST	57048	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.742386103 CEST	57048	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.742393017 CEST	443	57048	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.742753983 CEST	443	57048	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.744678020 CEST	57049	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.744746923 CEST	57049	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.744863033 CEST	443	57049	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.745863914 CEST	57049	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.746339083 CEST	57048	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.746473074 CEST	57048	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.746532917 CEST	443	57048	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.761727095 CEST	57048	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.798476934 CEST	443	57051	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.800148010 CEST	443	57050	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.800165892 CEST	443	57050	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.807460070 CEST	57050	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.807463884 CEST	57051	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.810703039 CEST	57051	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.810708046 CEST	443	57051	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.810806036 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:08.810959101 CEST	443	57051	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.813097000 CEST	57050	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.813107014 CEST	443	57050	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.813997984 CEST	443	57050	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.816205978 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:08.819123983 CEST	57051	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.819215059 CEST	57051	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.819294930 CEST	443	57051	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.820033073 CEST	57050	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.820033073 CEST	57050	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.820425987 CEST	443	57050	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:08.821386099 CEST	57050	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.821429014 CEST	57051	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.821527004 CEST	57050	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:08.936434984 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:08.993329048 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:08.998958111 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:09.004483938 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:09.125905991 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:09.178211927 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:09.312071085 CEST	443	57052	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:09.312144041 CEST	57052	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:09.316541910 CEST	57052	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:09.316551924 CEST	443	57052	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:09.316775084 CEST	443	57052	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:09.319894075 CEST	57052	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:09.320022106 CEST	57052	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:09.320065022 CEST	443	57052	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:09.320194960 CEST	57052	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:09.323471069 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:09.328962088 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:09.340704918 CEST	443	57053	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:09.340804100 CEST	57053	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:09.344369888 CEST	57053	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:09.344398022 CEST	443	57053	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:09.344830990 CEST	443	57053	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:09.347671986 CEST	57053	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:09.347817898 CEST	57053	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:09.347902060 CEST	443	57053	34.120.208.123	192.168.2.6
Oct 25, 2024 10:02:09.348031044 CEST	57053	443	192.168.2.6	34.120.208.123
Oct 25, 2024 10:02:09.448697090 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:09.452508926 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:09.458049059 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:09.494697094 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:09.579477072 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:09.632766008 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:19.466548920 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:19.472040892 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:19.582387924 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:19.588728905 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:29.473650932 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:29.479216099 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:29.596215963 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:29.601943016 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:39.266311884 CEST	57055	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:02:39.266350031 CEST	443	57055	34.107.243.93	192.168.2.6
Oct 25, 2024 10:02:39.266489983 CEST	57055	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:02:39.267970085 CEST	57055	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:02:39.267986059 CEST	443	57055	34.107.243.93	192.168.2.6
Oct 25, 2024 10:02:39.485408068 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:39.491146088 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:39.608041048 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:39.613600969 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:40.710458040 CEST	443	57055	34.107.243.93	192.168.2.6
Oct 25, 2024 10:02:40.712966919 CEST	57055	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:02:40.719084024 CEST	57055	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:02:40.719101906 CEST	443	57055	34.107.243.93	192.168.2.6
Oct 25, 2024 10:02:40.719196081 CEST	57055	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:02:40.719280958 CEST	443	57055	34.107.243.93	192.168.2.6
Oct 25, 2024 10:02:40.719399929 CEST	57055	443	192.168.2.6	34.107.243.93
Oct 25, 2024 10:02:40.721800089 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:40.727144003 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:40.847904921 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:40.863158941 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:40.868577003 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:40.911145926 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:40.999376059 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:41.042361975 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:50.860996962 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:50.866508961 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:02:51.008289099 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:02:51.013641119 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:03:00.872929096 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:03:00.878607988 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:03:01.020165920 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:03:01.025921106 CEST	80	49753	34.107.221.82	192.168.2.6
Oct 25, 2024 10:03:10.886336088 CEST	49756	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:03:10.891733885 CEST	80	49756	34.107.221.82	192.168.2.6
Oct 25, 2024 10:03:11.033504009 CEST	49753	80	192.168.2.6	34.107.221.82
Oct 25, 2024 10:03:11.038954020 CEST	80	49753	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 10:01:11.236423969 CEST	52148	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.236933947 CEST	64976	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.244796038 CEST	53	52148	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.247495890 CEST	57298	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.248123884 CEST	51136	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.248869896 CEST	55423	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.256015062 CEST	53	57298	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.257126093 CEST	53	55423	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.257141113 CEST	53	51136	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.258555889 CEST	64817	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.258790016 CEST	59474	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.259046078 CEST	54964	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.265824080 CEST	53	59474	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.266335964 CEST	53	54964	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.266690016 CEST	53	64817	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.389503956 CEST	54400	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.397001028 CEST	53	54400	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.416975975 CEST	55611	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.424998999 CEST	53	55611	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.803114891 CEST	52566	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.810573101 CEST	53	52566	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.811863899 CEST	49613	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.816530943 CEST	65145	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.819405079 CEST	53	49613	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.821072102 CEST	64627	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.823920965 CEST	53	65145	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.827788115 CEST	58231	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.828670979 CEST	53	64627	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.836148024 CEST	53	58231	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:11.846803904 CEST	61120	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:11.855149984 CEST	53	61120	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:12.157119989 CEST	52587	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:12.165126085 CEST	53	52587	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:12.167510986 CEST	53073	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:12.178292036 CEST	53	53073	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:12.184453964 CEST	56939	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:12.192102909 CEST	53	56939	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:12.234217882 CEST	62345	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:12.271167040 CEST	53	53563	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:12.457634926 CEST	60777	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:12.457734108 CEST	58839	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:13.159307957 CEST	54012	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:13.468101025 CEST	58839	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:13.468122959 CEST	60777	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:13.499007940 CEST	53	58839	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:13.499074936 CEST	53	58839	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:13.499104023 CEST	53	60777	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:13.499291897 CEST	53	60777	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:13.868788958 CEST	60531	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:13.876441956 CEST	53	60531	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:13.878571987 CEST	63591	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:13.886888027 CEST	53	63591	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:13.887433052 CEST	63440	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:13.895368099 CEST	53	63440	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:17.697635889 CEST	49343	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:17.706151009 CEST	53	49343	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:17.738003016 CEST	56065	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:17.745863914 CEST	53	56065	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:17.746869087 CEST	58221	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:17.755470991 CEST	53	58221	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:17.889520884 CEST	52157	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:17.890429020 CEST	61718	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:17.896858931 CEST	53	52157	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:17.897418022 CEST	59265	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:17.897916079 CEST	53	61718	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:17.898354053 CEST	53932	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:17.905065060 CEST	53	59265	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:17.906400919 CEST	53	53932	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:18.074343920 CEST	50124	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:18.081759930 CEST	53	50124	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:18.107791901 CEST	58758	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:18.115453959 CEST	53	58758	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:18.120563984 CEST	59414	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:18.127842903 CEST	53	59414	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:21.874624014 CEST	53	50796	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:22.512564898 CEST	63995	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:22.519902945 CEST	53	63995	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:26.814423084 CEST	58340	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:26.822300911 CEST	53	58340	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:31.857224941 CEST	62940	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:31.857225895 CEST	56802	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:31.857516050 CEST	64802	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:31.864444017 CEST	53	62940	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:31.865050077 CEST	53	64802	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:31.865071058 CEST	53	56802	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:31.865495920 CEST	60265	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:31.873579025 CEST	53	60265	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:31.991044998 CEST	64096	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:31.991044998 CEST	52527	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:31.991391897 CEST	64945	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:31.998506069 CEST	53	64096	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:31.998771906 CEST	53	52527	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:31.998960018 CEST	53	64945	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:31.999258995 CEST	49612	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:31.999890089 CEST	60369	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:31.999933004 CEST	56515	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:32.007015944 CEST	53	49612	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:32.007611036 CEST	53	60369	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:32.007641077 CEST	50753	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:32.007730007 CEST	53	56515	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:32.008220911 CEST	60467	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:32.015857935 CEST	53	50753	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:32.016266108 CEST	53	60467	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:32.016391039 CEST	49316	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:32.016833067 CEST	50038	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:32.024137974 CEST	53	49316	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:32.024316072 CEST	53	50038	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:32.024776936 CEST	65292	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:32.032444954 CEST	53	65292	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:37.495712042 CEST	50689	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:37.503993988 CEST	53	50689	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:37.508007050 CEST	55067	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:37.512461901 CEST	64132	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:37.516154051 CEST	53	55067	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:37.516798973 CEST	59787	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:37.520077944 CEST	53	64132	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:37.524208069 CEST	53	59787	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:37.528446913 CEST	57778	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:37.536005020 CEST	53	57778	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:37.536659002 CEST	55582	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:37.545485020 CEST	53	55582	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:37.581078053 CEST	52355	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:37.589170933 CEST	53	52355	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:37.590917110 CEST	58596	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:37.601747036 CEST	53	58596	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:37.608144999 CEST	56944	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:37.619113922 CEST	53	56944	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:58.600430965 CEST	61754	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:58.608057976 CEST	53	61754	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:58.609256029 CEST	51430	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:01:58.616748095 CEST	53	51430	1.1.1.1	192.168.2.6
Oct 25, 2024 10:01:59.246434927 CEST	54384	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:02:08.093055964 CEST	50994	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:02:08.100516081 CEST	53	50994	1.1.1.1	192.168.2.6
Oct 25, 2024 10:02:39.256608009 CEST	64016	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:02:39.265203953 CEST	53	64016	1.1.1.1	192.168.2.6
Oct 25, 2024 10:02:39.266320944 CEST	57953	53	192.168.2.6	1.1.1.1
Oct 25, 2024 10:02:39.273916006 CEST	53	57953	1.1.1.1	192.168.2.6
Oct 25, 2024 10:02:40.722127914 CEST	61926	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 10:01:11.236423969 CEST	192.168.2.6	1.1.1.1	0x3e2b	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.236933947 CEST	192.168.2.6	1.1.1.1	0xdcac	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.247495890 CEST	192.168.2.6	1.1.1.1	0xdba1	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.248123884 CEST	192.168.2.6	1.1.1.1	0xbd54	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.248869896 CEST	192.168.2.6	1.1.1.1	0x70df	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.258555889 CEST	192.168.2.6	1.1.1.1	0x2378	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 10:01:11.258790016 CEST	192.168.2.6	1.1.1.1	0x12cb	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 10:01:11.259046078 CEST	192.168.2.6	1.1.1.1	0xc3ba	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:11.389503956 CEST	192.168.2.6	1.1.1.1	0x4357	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.416975975 CEST	192.168.2.6	1.1.1.1	0xcaa8	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 10:01:11.803114891 CEST	192.168.2.6	1.1.1.1	0xd0d8	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.811863899 CEST	192.168.2.6	1.1.1.1	0xcf10	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.816530943 CEST	192.168.2.6	1.1.1.1	0x9d93	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.821072102 CEST	192.168.2.6	1.1.1.1	0xc713	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:11.827788115 CEST	192.168.2.6	1.1.1.1	0x8cb	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.846803904 CEST	192.168.2.6	1.1.1.1	0x6cd2	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 10:01:12.157119989 CEST	192.168.2.6	1.1.1.1	0x6d99	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:12.167510986 CEST	192.168.2.6	1.1.1.1	0x2a97	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:12.184453964 CEST	192.168.2.6	1.1.1.1	0x57d4	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 10:01:12.234217882 CEST	192.168.2.6	1.1.1.1	0x5217	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:12.457634926 CEST	192.168.2.6	1.1.1.1	0x2c76	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:12.457734108 CEST	192.168.2.6	1.1.1.1	0xfb40	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.159307957 CEST	192.168.2.6	1.1.1.1	0x2e8	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.468101025 CEST	192.168.2.6	1.1.1.1	0xfb40	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.468122959 CEST	192.168.2.6	1.1.1.1	0x2c76	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.868788958 CEST	192.168.2.6	1.1.1.1	0x318f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.878571987 CEST	192.168.2.6	1.1.1.1	0x4142	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.887433052 CEST	192.168.2.6	1.1.1.1	0x731f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:17.697635889 CEST	192.168.2.6	1.1.1.1	0xd97b	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:17.738003016 CEST	192.168.2.6	1.1.1.1	0x93b6	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:17.746869087 CEST	192.168.2.6	1.1.1.1	0xd563	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 10:01:17.889520884 CEST	192.168.2.6	1.1.1.1	0x2cdc	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:17.890429020 CEST	192.168.2.6	1.1.1.1	0x388	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:17.897418022 CEST	192.168.2.6	1.1.1.1	0xab92	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 10:01:17.898354053 CEST	192.168.2.6	1.1.1.1	0x18b4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:18.074343920 CEST	192.168.2.6	1.1.1.1	0x665a	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:18.107791901 CEST	192.168.2.6	1.1.1.1	0x85e	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:18.120563984 CEST	192.168.2.6	1.1.1.1	0xd4a7	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 10:01:22.512564898 CEST	192.168.2.6	1.1.1.1	0x43c8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:26.814423084 CEST	192.168.2.6	1.1.1.1	0x5ac4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:31.857224941 CEST	192.168.2.6	1.1.1.1	0x9b6b	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.857225895 CEST	192.168.2.6	1.1.1.1	0x7b81	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.857516050 CEST	192.168.2.6	1.1.1.1	0xacd3	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865495920 CEST	192.168.2.6	1.1.1.1	0x82e8	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.991044998 CEST	192.168.2.6	1.1.1.1	0xe2b	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:31.991044998 CEST	192.168.2.6	1.1.1.1	0x39cc	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.991391897 CEST	192.168.2.6	1.1.1.1	0x883a	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.999258995 CEST	192.168.2.6	1.1.1.1	0xb380	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.999890089 CEST	192.168.2.6	1.1.1.1	0x94a4	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 25, 2024 10:01:31.999933004 CEST	192.168.2.6	1.1.1.1	0xf90d	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:32.007641077 CEST	192.168.2.6	1.1.1.1	0xad4c	Standard query (0)	dualstack.reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.008220911 CEST	192.168.2.6	1.1.1.1	0xcda4	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.016391039 CEST	192.168.2.6	1.1.1.1	0x66d0	Standard query (0)	dualstack.reddit.map.fastly.net	28	IN (0x0001)	false
Oct 25, 2024 10:01:32.016833067 CEST	192.168.2.6	1.1.1.1	0xbf18	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.024776936 CEST	192.168.2.6	1.1.1.1	0x96ad	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:37.495712042 CEST	192.168.2.6	1.1.1.1	0x7c4d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.508007050 CEST	192.168.2.6	1.1.1.1	0x7db9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 10:01:37.512461901 CEST	192.168.2.6	1.1.1.1	0x6c52	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:37.516798973 CEST	192.168.2.6	1.1.1.1	0x6876	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.528446913 CEST	192.168.2.6	1.1.1.1	0xfd69	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.536659002 CEST	192.168.2.6	1.1.1.1	0x327c	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 25, 2024 10:01:37.581078053 CEST	192.168.2.6	1.1.1.1	0xcf98	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.590917110 CEST	192.168.2.6	1.1.1.1	0xfbaa	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.608144999 CEST	192.168.2.6	1.1.1.1	0xd33e	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:58.600430965 CEST	192.168.2.6	1.1.1.1	0xdfe	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:58.609256029 CEST	192.168.2.6	1.1.1.1	0x2a34	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 10:01:59.246434927 CEST	192.168.2.6	1.1.1.1	0x5eca	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:02:08.093055964 CEST	192.168.2.6	1.1.1.1	0x4dc7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 10:02:39.256608009 CEST	192.168.2.6	1.1.1.1	0xf1d6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:02:39.266320944 CEST	192.168.2.6	1.1.1.1	0xf162	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 10:02:40.722127914 CEST	192.168.2.6	1.1.1.1	0x52e8	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 10:01:11.244479895 CEST	1.1.1.1	192.168.2.6	0x4695	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.244796038 CEST	1.1.1.1	192.168.2.6	0x3e2b	No error (0)	youtube.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.245111942 CEST	1.1.1.1	192.168.2.6	0xdcac	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:11.245111942 CEST	1.1.1.1	192.168.2.6	0xdcac	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.256015062 CEST	1.1.1.1	192.168.2.6	0xdba1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.257126093 CEST	1.1.1.1	192.168.2.6	0x70df	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.257141113 CEST	1.1.1.1	192.168.2.6	0xbd54	No error (0)	youtube.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.265824080 CEST	1.1.1.1	192.168.2.6	0x12cb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 10:01:11.266335964 CEST	1.1.1.1	192.168.2.6	0xc3ba	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 25, 2024 10:01:11.387356043 CEST	1.1.1.1	192.168.2.6	0x8fbb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:11.387356043 CEST	1.1.1.1	192.168.2.6	0x8fbb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.397001028 CEST	1.1.1.1	192.168.2.6	0x4357	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.810573101 CEST	1.1.1.1	192.168.2.6	0xd0d8	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.819405079 CEST	1.1.1.1	192.168.2.6	0xcf10	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.823920965 CEST	1.1.1.1	192.168.2.6	0x9d93	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:11.823920965 CEST	1.1.1.1	192.168.2.6	0x9d93	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:11.836148024 CEST	1.1.1.1	192.168.2.6	0x8cb	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:12.165126085 CEST	1.1.1.1	192.168.2.6	0x6d99	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:12.165126085 CEST	1.1.1.1	192.168.2.6	0x6d99	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:12.165126085 CEST	1.1.1.1	192.168.2.6	0x6d99	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:12.178292036 CEST	1.1.1.1	192.168.2.6	0x2a97	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:12.192102909 CEST	1.1.1.1	192.168.2.6	0x57d4	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 10:01:12.242432117 CEST	1.1.1.1	192.168.2.6	0x5217	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:13.499007940 CEST	1.1.1.1	192.168.2.6	0xfb40	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.499007940 CEST	1.1.1.1	192.168.2.6	0xfb40	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.499074936 CEST	1.1.1.1	192.168.2.6	0xfb40	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.499074936 CEST	1.1.1.1	192.168.2.6	0xfb40	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.499104023 CEST	1.1.1.1	192.168.2.6	0x2c76	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.499291897 CEST	1.1.1.1	192.168.2.6	0x2c76	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.499345064 CEST	1.1.1.1	192.168.2.6	0x2e8	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:13.499345064 CEST	1.1.1.1	192.168.2.6	0x2e8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.876441956 CEST	1.1.1.1	192.168.2.6	0x318f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:13.886888027 CEST	1.1.1.1	192.168.2.6	0x4142	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:17.706151009 CEST	1.1.1.1	192.168.2.6	0xd97b	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:17.706151009 CEST	1.1.1.1	192.168.2.6	0xd97b	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:17.706151009 CEST	1.1.1.1	192.168.2.6	0xd97b	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:17.745863914 CEST	1.1.1.1	192.168.2.6	0x93b6	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:17.888036966 CEST	1.1.1.1	192.168.2.6	0x2d65	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:17.889684916 CEST	1.1.1.1	192.168.2.6	0xd9a1	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:17.889684916 CEST	1.1.1.1	192.168.2.6	0xd9a1	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:17.896858931 CEST	1.1.1.1	192.168.2.6	0x2cdc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:17.897916079 CEST	1.1.1.1	192.168.2.6	0x388	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:18.081759930 CEST	1.1.1.1	192.168.2.6	0x665a	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:18.081759930 CEST	1.1.1.1	192.168.2.6	0x665a	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:18.115453959 CEST	1.1.1.1	192.168.2.6	0x85e	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:22.518646955 CEST	1.1.1.1	192.168.2.6	0x7776	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:26.883156061 CEST	1.1.1.1	192.168.2.6	0x282d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.864444017 CEST	1.1.1.1	192.168.2.6	0x9b6b	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:31.864444017 CEST	1.1.1.1	192.168.2.6	0x9b6b	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865050077 CEST	1.1.1.1	192.168.2.6	0xacd3	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865050077 CEST	1.1.1.1	192.168.2.6	0xacd3	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.865071058 CEST	1.1.1.1	192.168.2.6	0x7b81	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.873579025 CEST	1.1.1.1	192.168.2.6	0x82e8	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998506069 CEST	1.1.1.1	192.168.2.6	0xe2b	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 25, 2024 10:01:31.998771906 CEST	1.1.1.1	192.168.2.6	0x39cc	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:31.998960018 CEST	1.1.1.1	192.168.2.6	0x883a	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.007015944 CEST	1.1.1.1	192.168.2.6	0xb380	No error (0)	www.reddit.com	dualstack.reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:32.007015944 CEST	1.1.1.1	192.168.2.6	0xb380	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.007015944 CEST	1.1.1.1	192.168.2.6	0xb380	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.007015944 CEST	1.1.1.1	192.168.2.6	0xb380	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.007015944 CEST	1.1.1.1	192.168.2.6	0xb380	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.007611036 CEST	1.1.1.1	192.168.2.6	0x94a4	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 25, 2024 10:01:32.007730007 CEST	1.1.1.1	192.168.2.6	0xf90d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 10:01:32.007730007 CEST	1.1.1.1	192.168.2.6	0xf90d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 10:01:32.007730007 CEST	1.1.1.1	192.168.2.6	0xf90d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 10:01:32.007730007 CEST	1.1.1.1	192.168.2.6	0xf90d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 10:01:32.015857935 CEST	1.1.1.1	192.168.2.6	0xad4c	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.015857935 CEST	1.1.1.1	192.168.2.6	0xad4c	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.015857935 CEST	1.1.1.1	192.168.2.6	0xad4c	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.015857935 CEST	1.1.1.1	192.168.2.6	0xad4c	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.016266108 CEST	1.1.1.1	192.168.2.6	0xcda4	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:32.024137974 CEST	1.1.1.1	192.168.2.6	0x66d0	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Oct 25, 2024 10:01:32.024137974 CEST	1.1.1.1	192.168.2.6	0x66d0	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Oct 25, 2024 10:01:32.024137974 CEST	1.1.1.1	192.168.2.6	0x66d0	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Oct 25, 2024 10:01:32.024137974 CEST	1.1.1.1	192.168.2.6	0x66d0	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Oct 25, 2024 10:01:32.024316072 CEST	1.1.1.1	192.168.2.6	0xbf18	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.501110077 CEST	1.1.1.1	192.168.2.6	0x746	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:37.501110077 CEST	1.1.1.1	192.168.2.6	0x746	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.503993988 CEST	1.1.1.1	192.168.2.6	0x7c4d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.524208069 CEST	1.1.1.1	192.168.2.6	0x6876	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.524208069 CEST	1.1.1.1	192.168.2.6	0x6876	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.524208069 CEST	1.1.1.1	192.168.2.6	0x6876	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.524208069 CEST	1.1.1.1	192.168.2.6	0x6876	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.536005020 CEST	1.1.1.1	192.168.2.6	0xfd69	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.536005020 CEST	1.1.1.1	192.168.2.6	0xfd69	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.536005020 CEST	1.1.1.1	192.168.2.6	0xfd69	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.536005020 CEST	1.1.1.1	192.168.2.6	0xfd69	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.589170933 CEST	1.1.1.1	192.168.2.6	0xcf98	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:37.589170933 CEST	1.1.1.1	192.168.2.6	0xcf98	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:37.601747036 CEST	1.1.1.1	192.168.2.6	0xfbaa	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:38.847709894 CEST	1.1.1.1	192.168.2.6	0xbb67	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:38.847709894 CEST	1.1.1.1	192.168.2.6	0xbb67	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:58.608057976 CEST	1.1.1.1	192.168.2.6	0xdfe	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:01:59.254427910 CEST	1.1.1.1	192.168.2.6	0x5eca	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:01:59.254427910 CEST	1.1.1.1	192.168.2.6	0x5eca	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:02:08.091620922 CEST	1.1.1.1	192.168.2.6	0xd808	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:02:39.265203953 CEST	1.1.1.1	192.168.2.6	0xf1d6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 10:02:40.730549097 CEST	1.1.1.1	192.168.2.6	0x52e8	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 10:02:40.730549097 CEST	1.1.1.1	192.168.2.6	0x52e8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49738	34.107.221.82	80	6484	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 10:01:11.808893919 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:01:12.405972004 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70278 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49753	34.107.221.82	80	6484	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 10:01:13.517719030 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:01:14.309982061 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79581 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:01:14.330178976 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79581 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:01:17.879729986 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:01:18.006117105 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79584 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:01:18.090617895 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:01:18.217344046 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79585 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:01:24.473371983 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:01:24.600737095 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79591 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:01:27.186005116 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:01:27.313182116 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79594 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:01:29.667187929 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:01:29.793898106 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79596 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:01:37.484299898 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:01:37.614458084 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79604 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:01:38.289781094 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:01:38.416538000 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79605 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:01:38.914606094 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:01:39.041852951 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79605 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:01:49.050668955 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:01:59.062767982 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:01:59.375125885 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:01:59.503859043 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79626 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:02:08.998958111 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:02:09.125905991 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79636 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:02:09.452508926 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:02:09.579477072 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79636 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:02:19.582387924 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:02:29.596215963 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:02:39.608041048 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:02:40.863158941 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 10:02:40.999376059 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 79667 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 10:02:51.008289099 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:03:01.020165920 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:03:11.033504009 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49756	34.107.221.82	80	6484	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 10:01:13.556915045 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:01:14.310209036 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70280 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:01:14.358124018 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70280 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:01:17.880700111 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:01:18.005494118 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70283 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:01:22.510421038 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:01:22.636310101 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70288 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:01:26.865140915 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:01:26.989707947 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70292 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:01:28.559016943 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:01:28.907838106 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70294 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:01:37.353112936 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:01:37.479563951 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70303 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:01:38.160248041 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:01:38.285960913 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70304 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:01:38.785738945 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:01:38.910682917 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70304 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:01:48.914907932 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:01:58.924660921 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:01:59.246124029 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:01:59.371629953 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70325 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:02:08.810806036 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:02:08.936434984 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70334 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:02:09.323471069 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:02:09.448697090 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70335 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:02:19.466548920 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:02:29.473650932 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:02:39.485408068 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:02:40.721800089 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 10:02:40.847904921 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 70366 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 10:02:50.860996962 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:03:00.872929096 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 10:03:10.886336088 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	04:01:02
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb00000
File size:	919'552 bytes
MD5 hash:	D18D5C5315A7B34B6C746FDBD100FD57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:01:02
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x9c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:01:02
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:01:04
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x9c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:01:04
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:01:04
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x9c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:01:04
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:01:05
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x9c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:01:05
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:01:05
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x9c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:01:05
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:01:05
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:01:05
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:01:05
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	04:01:06
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f5b33e7-d113-4847-8deb-63ab7a99d8dc} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffa3f6d710 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	04:01:09
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -parentBuildID 20230927232528 -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dee93147-3765-4cc2-bc3d-54383d42b79d} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffb640b910 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	04:01:17
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3568 -prefMapHandle 4724 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3c4fb31-33a7-4628-840c-3041c3ce5eed} 6484 "\\.\pipe\gecko-crash-server-pipe.6484" 1ffb4fc2510 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1481
Total number of Limit Nodes:	56

Executed Functions

Function 00B042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B0430D

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

GetCurrentProcess.KERNEL32(?,00B9CB64,00000000,?,?), ref: 00B04422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B04429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B04454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B04466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B04474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B0447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00B044A0

Strings

kernel32.dll, xrefs: 00B0444F
|O, xrefs: 00B436F8
GetNativeSystemInfo, xrefs: 00B04460

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b8e1a17d9ec216ffcf163df6eaa67436d9830bbe2e3d9e7d9e25081f0f9b83c4
Instruction ID: 6e70a1a37e6d7712047a0d33cc2df4f6a6a7df2d0a0aec74a74a830501ca97bc
Opcode Fuzzy Hash: b8e1a17d9ec216ffcf163df6eaa67436d9830bbe2e3d9e7d9e25081f0f9b83c4
Instruction Fuzzy Hash: 56A162A590B2C0FBC711C76DB9A1599BFE5AB26720B084CDBD18593772FE304A04DB2D

Function 00B042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B050AA,?,?,00000000,00000000), ref: 00B042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B050AA,?,?,00000000,00000000), ref: 00B042C9
LoadResource.KERNEL32(?,00000000,?,?,00B050AA,?,?,00000000,00000000,?,?,?,?,?,?,00B04F20), ref: 00B435BE
SizeofResource.KERNEL32(?,00000000,?,?,00B050AA,?,?,00000000,00000000,?,?,?,?,?,?,00B04F20), ref: 00B435D3
LockResource.KERNEL32(00B050AA,?,?,00B050AA,?,?,00000000,00000000,?,?,?,?,?,?,00B04F20,?), ref: 00B435E6

Strings

SCRIPT, xrefs: 00B042BF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2c6e3ec153d91ed46de5aba81f4872bfcbfcff19bed9c2557f3bf2c02aa83003
Instruction ID: 31518c02b3e60231d5416702b0d3282955c38d4a210b4cf4dbd4ca4e95548b1e
Opcode Fuzzy Hash: 2c6e3ec153d91ed46de5aba81f4872bfcbfcff19bed9c2557f3bf2c02aa83003
Instruction Fuzzy Hash: 0E117CB0200700BFDB218B65DD48F277FF9EBC5B51F2481AAB502D62A0DB71D8048A30

Function 00B42BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00B02B6B

Part of subcall function 00B03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BD1418,?,00B02E7F,?,?,?,00000000), ref: 00B03A78

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00BC2224), ref: 00B42C10
ShellExecuteW.SHELL32(00000000,?,?,00BC2224), ref: 00B42C17

Strings

runas, xrefs: 00B42C0B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 3db9b6f9378e9cb30fb533589e82063a910c88853544abef689ea90534711cb8
Instruction ID: 99ad8e23771f5b7597aaccb928a22c5b41d69d63a814798e98b6c0f934a64b7c
Opcode Fuzzy Hash: 3db9b6f9378e9cb30fb533589e82063a910c88853544abef689ea90534711cb8
Instruction Fuzzy Hash: 6A11A2312083416AC714FF64D89AA7EBFE8DB91740F4458EEF182531E3DF219A499B12

Function 00B6D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B6D501
Process32FirstW.KERNEL32(00000000,?), ref: 00B6D50F
Process32NextW.KERNEL32(00000000,?), ref: 00B6D52F
CloseHandle.KERNELBASE(00000000), ref: 00B6D5DC

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d2b4bb28747ca05320e75c7f5fbd2a6bc5ee7bd0588122174aa1559bb6c1fb10
Instruction ID: 9566c9e31ac5004d904c7e54a3a954c2b968b2168f715983df8928831b40be81
Opcode Fuzzy Hash: d2b4bb28747ca05320e75c7f5fbd2a6bc5ee7bd0588122174aa1559bb6c1fb10
Instruction Fuzzy Hash: 7F31B1715083009FD300EF54C881AAFBFF8EF99354F54096DF586971A2EB719948CBA2

Function 00B6DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00B45222), ref: 00B6DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00B6DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00B6DBEE
FindClose.KERNEL32(00000000), ref: 00B6DBFA

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 2867ca380cef480379ee9e9349b88a7f30fc6ea9eee58c1a09fa9f3da5d3371f
Instruction ID: 7d7dfc2ce94f6f5207a1579accae057ad333cb323d18e0b099c1a0d5de346449
Opcode Fuzzy Hash: 2867ca380cef480379ee9e9349b88a7f30fc6ea9eee58c1a09fa9f3da5d3371f
Instruction Fuzzy Hash: EDF0A03081091857C220AF78AE0D8AA3BACDE02334B504B43F836C20E0EFB5599486D9

Function 00B24CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00B328E9,?,00B24CBE,00B328E9,00BC88B8,0000000C,00B24E15,00B328E9,00000002,00000000,?,00B328E9), ref: 00B24D09
TerminateProcess.KERNEL32(00000000,?,00B24CBE,00B328E9,00BC88B8,0000000C,00B24E15,00B328E9,00000002,00000000,?,00B328E9), ref: 00B24D10
ExitProcess.KERNEL32 ref: 00B24D22

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4a479b11da34f0c2b94f7dc708d2f17baaf073211b184c4c206c8ffae4993a7b
Instruction ID: b536174f8dae6d741372fe542c35d9fbfb7cd77bf5589e868b08efe8039fcb34
Opcode Fuzzy Hash: 4a479b11da34f0c2b94f7dc708d2f17baaf073211b184c4c206c8ffae4993a7b
Instruction Fuzzy Hash: 6AE0B631004158AFCF11AF54EE0AA593FA9EB46B81F104065FC099B522CB35DD42CA94

Function 00B8AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00B8B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B8B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B8B1D4
_wcslen.LIBCMT ref: 00B8B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B8B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B8B236
_wcslen.LIBCMT ref: 00B8B332

Part of subcall function 00B705A7: GetStdHandle.KERNEL32(000000F6), ref: 00B705C6

_wcslen.LIBCMT ref: 00B8B34B
_wcslen.LIBCMT ref: 00B8B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B8B3B6
GetLastError.KERNEL32(00000000), ref: 00B8B407
CloseHandle.KERNEL32(?), ref: 00B8B439
CloseHandle.KERNEL32(00000000), ref: 00B8B44A
CloseHandle.KERNEL32(00000000), ref: 00B8B45C
CloseHandle.KERNEL32(00000000), ref: 00B8B46E
CloseHandle.KERNEL32(?), ref: 00B8B4E3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c992e642fe5790b7fb6e36f1783c39426570cf0a4c742218a816a4467cd661e4
Instruction ID: 3b96ff30cc854e3a731dfe7a9b0508e5d893fe01e19704a701d8218d72a0415a
Opcode Fuzzy Hash: c992e642fe5790b7fb6e36f1783c39426570cf0a4c742218a816a4467cd661e4
Instruction Fuzzy Hash: C3F15A716082409FCB14EF24C891F6ABBE5EF85314F18859DF8999B2A2DB31EC45CB52

Function 00B0D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B0D807
timeGetTime.WINMM ref: 00B0DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0DB28
TranslateMessage.USER32(?), ref: 00B0DB7B
DispatchMessageW.USER32(?), ref: 00B0DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0DB9F
Sleep.KERNELBASE(0000000A), ref: 00B0DBB1

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: cf459e9e86d5127832809fbe2e09b2412067d836249a8b1157e5d7c17c938ba2
Instruction ID: 0a3f1ef71d5f86b70af82d5c76550fe0c715bbcad09d381c7e20e9c5cd64fcda
Opcode Fuzzy Hash: cf459e9e86d5127832809fbe2e09b2412067d836249a8b1157e5d7c17c938ba2
Instruction Fuzzy Hash: 1C42E430605341EFD724CF64C894BAABBE4FF46314F5489E9E965872D1DB70E848CB92

Function 00B02CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B02D07
RegisterClassExW.USER32(00000030), ref: 00B02D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B02D42
InitCommonControlsEx.COMCTL32(?), ref: 00B02D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B02D6F
LoadIconW.USER32(000000A9), ref: 00B02D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B02D94

Strings

AutoIt v3 GUI, xrefs: 00B02D23
+, xrefs: 00B02CF0
TaskbarCreated, xrefs: 00B02D37
0, xrefs: 00B02CE9

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2a918df6dd999821570bde23f4be6ee791a2fcbcef381464d2d776596ec87eff
Instruction ID: 9b83b8a5edc25d95de054afa686776134e9d7ee7f2f107c9dd68c57ae6637612
Opcode Fuzzy Hash: 2a918df6dd999821570bde23f4be6ee791a2fcbcef381464d2d776596ec87eff
Instruction Fuzzy Hash: 1421B4B5902218AFDB00DFA8ED69ADDBFB8FB08700F00451BE511A72A0EBB545458F95

Function 00B4065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B4039A: CreateFileW.KERNELBASE(00000000,00000000,?,00B40704,?,?,00000000,?,00B40704,00000000,0000000C), ref: 00B403B7

GetLastError.KERNEL32 ref: 00B4076F
__dosmaperr.LIBCMT ref: 00B40776
GetFileType.KERNELBASE(00000000), ref: 00B40782
GetLastError.KERNEL32 ref: 00B4078C
__dosmaperr.LIBCMT ref: 00B40795
CloseHandle.KERNEL32(00000000), ref: 00B407B5
CloseHandle.KERNEL32(?), ref: 00B408FF
GetLastError.KERNEL32 ref: 00B40931
__dosmaperr.LIBCMT ref: 00B40938

Strings

H, xrefs: 00B408BD

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 64ba2e499f6d06d3b9ad3618c57273bc7909b8d2325c09fddacb6567c6fa4b9a
Instruction ID: 30a40d62fb7cdd4a5aa0b0f99cf3395506461375df905dc1d2ff84d359f184aa
Opcode Fuzzy Hash: 64ba2e499f6d06d3b9ad3618c57273bc7909b8d2325c09fddacb6567c6fa4b9a
Instruction Fuzzy Hash: 00A12832A241148FDF19BF78D891BAD7BF0EB06320F24019EF9159B291DB359E12DB91

Function 00B0344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BD1418,?,00B02E7F,?,?,?,00000000), ref: 00B03A78

Part of subcall function 00B03357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B03379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B0356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B4318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B431CE
RegCloseKey.ADVAPI32(?), ref: 00B43210
_wcslen.LIBCMT ref: 00B43277
_wcslen.LIBCMT ref: 00B43286

Strings

\, xrefs: 00B4328C
Software\AutoIt v3\AutoIt, xrefs: 00B03560
Include, xrefs: 00B43184, 00B431C5
\Include\, xrefs: 00B03527

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 0faeae8a7acf3c6ff4b81588a448f832065b536fd607e9a184c639be127941a2
Instruction ID: dd9167f0b9ac3ce4a8137dd48d6ab2c8f6c151ce432c7aa0ad32577d99fbbc40
Opcode Fuzzy Hash: 0faeae8a7acf3c6ff4b81588a448f832065b536fd607e9a184c639be127941a2
Instruction Fuzzy Hash: 0F71C2715053419FC314EF29EC928ABFBE8FFA4750F40496EF545832A0EB708A48CB66

Function 00B02B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B02B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00B02B9D
LoadIconW.USER32(00000063), ref: 00B02BB3
LoadIconW.USER32(000000A4), ref: 00B02BC5
LoadIconW.USER32(000000A2), ref: 00B02BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B02BEF
RegisterClassExW.USER32(?), ref: 00B02C40

Part of subcall function 00B02CD4: GetSysColorBrush.USER32(0000000F), ref: 00B02D07
Part of subcall function 00B02CD4: RegisterClassExW.USER32(00000030), ref: 00B02D31
Part of subcall function 00B02CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B02D42
Part of subcall function 00B02CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B02D5F
Part of subcall function 00B02CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B02D6F
Part of subcall function 00B02CD4: LoadIconW.USER32(000000A9), ref: 00B02D85
Part of subcall function 00B02CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B02D94

Strings

0, xrefs: 00B02C0F
#, xrefs: 00B02C16
AutoIt v3, xrefs: 00B02C2F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0982f700ba65dede8eb7b7f38a373cefa2095c355d7284a92b736bd9ef1b76aa
Instruction ID: 9c7003e8d89e0adb62a05d52751f9b8ba5bfce8c259ab5eff775aa3daec47b66
Opcode Fuzzy Hash: 0982f700ba65dede8eb7b7f38a373cefa2095c355d7284a92b736bd9ef1b76aa
Instruction Fuzzy Hash: FC211D71E02314BBDB10DFD9ED65A99BFB4FB48B60F40055BE504A76A0EBB50940CF98

Function 00B03170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B0316A,?,?), ref: 00B031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00B0316A,?,?), ref: 00B03204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B03227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B0316A,?,?), ref: 00B03232
CreatePopupMenu.USER32 ref: 00B03246
PostQuitMessage.USER32(00000000), ref: 00B03267

Strings

TaskbarCreated, xrefs: 00B0322D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: fdd4811b35d652703207a313b4766a8be421567cccf5b5f96b7c5e2d3f8cca5d
Instruction ID: 2d079530d50e046e511afed1041d6474218e80c3e9f03c9393fba25fe59c1606
Opcode Fuzzy Hash: fdd4811b35d652703207a313b4766a8be421567cccf5b5f96b7c5e2d3f8cca5d
Instruction Fuzzy Hash: 3F411035240200BBDB145FAC9DADB793FDDEB09B50F0405E6F902972E1EB658F81A7A1

Function 00B01410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B01459
CoUninitialize.COMBASE ref: 00B014F8
UnregisterHotKey.USER32(?), ref: 00B016DD
DestroyWindow.USER32(?), ref: 00B424B9
FreeLibrary.KERNEL32(?), ref: 00B4251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B4254B

Strings

close all, xrefs: 00B01454

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 74f7983e37376ca2b9b0c8f38f8d6b605dfe82c663f0108164672dd4f539267b
Instruction ID: a16ab54ee50e0c752de163d18a421c118ca719c16d5b844443fcf1fcfce77e6d
Opcode Fuzzy Hash: 74f7983e37376ca2b9b0c8f38f8d6b605dfe82c663f0108164672dd4f539267b
Instruction Fuzzy Hash: 20D149317012128FCB19EF18C899A29FBE4FF05700F5586EDE54A6B2A2DB31AD12DF51

Function 00B02C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B02C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B02CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B01CAD,?), ref: 00B02CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B01CAD,?), ref: 00B02CCF

Strings

AutoIt v3, xrefs: 00B02C89, 00B02C8E, 00B02C8F
edit, xrefs: 00B02CAC

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 70114c94ae8709a03f46d0e336ee796ef93cd9321c999ffb96c92a9ef975027f
Instruction ID: 251cb1c81e5f479267dfd2cd2dcea2e93e6e621f5112ee97f4729553bc969f37
Opcode Fuzzy Hash: 70114c94ae8709a03f46d0e336ee796ef93cd9321c999ffb96c92a9ef975027f
Instruction Fuzzy Hash: E0F0DA756412907BEB311B1BAC18E77AFBDD7C6F60B01046BF904A35A0EA651850DAB8

Function 00B03B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B03B0F,SwapMouseButtons,00000004,?), ref: 00B03B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B03B0F,SwapMouseButtons,00000004,?), ref: 00B03B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B03B0F,SwapMouseButtons,00000004,?), ref: 00B03B83

Strings

Control Panel\Mouse, xrefs: 00B03B3E

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b753b43cb2a5e00b0ea2fcf574848301aa915bcf242787dd7a01845f9005e14b
Instruction ID: 9edee84827735eb32216f0982cd9bca4d5c647bdd164894dd92747e977b527f3
Opcode Fuzzy Hash: b753b43cb2a5e00b0ea2fcf574848301aa915bcf242787dd7a01845f9005e14b
Instruction Fuzzy Hash: B9112AB5510208FFDB218FA5DC89AAEBBFCEF04B48B10849AA805D7150D6319E449760

Function 00B03923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B433A2

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B03A04

Strings

Line: , xrefs: 00B433EB

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9af9a042e7bdc1d6647a818209a3f919cfcb31ceea659a148b052ce2af80f26e
Instruction ID: 432de35457381d38275738843f4ef4b16aa4e017fc556dd7fee275c9712a86c9
Opcode Fuzzy Hash: 9af9a042e7bdc1d6647a818209a3f919cfcb31ceea659a148b052ce2af80f26e
Instruction Fuzzy Hash: 2D31D071509300AAC324EB24DC59BEBBBDCAB40B20F0449ABF599831D1EF709A49C7C6

Function 00B1FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B20668

Part of subcall function 00B232A4: RaiseException.KERNEL32(?,?,?,00B2068A,?,00BD1444,?,?,?,?,?,?,00B2068A,00B01129,00BC8738,00B01129), ref: 00B23304

__CxxThrowException@8.LIBVCRUNTIME ref: 00B20685

Strings

Unknown exception, xrefs: 00B20692

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: e7f623800fd0a1c48721c301a449724d86beec705031a8e8a8c2f2a03d73531a
Instruction ID: 50d985966826100e9536e92c5f15249dc00bb055498635d177e48aedb80f0283
Opcode Fuzzy Hash: e7f623800fd0a1c48721c301a449724d86beec705031a8e8a8c2f2a03d73531a
Instruction Fuzzy Hash: 7EF0C83490021DB7CB00B664F886DEE77EC9E00310B6045F5B81CD5593EF71DA65C6C0

Function 00B010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B01BF4
Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B01BFC
Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B01C07
Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B01C12
Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B01C1A
Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B01C22

Part of subcall function 00B01B4A: RegisterWindowMessageW.USER32(00000004,?,00B012C4), ref: 00B01BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B0136A
OleInitialize.OLE32 ref: 00B01388
CloseHandle.KERNEL32(00000000,00000000), ref: 00B424AB

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 64a2a5550402aa33fc6baea15d5b0e655df508a984a6febe2782d9e618e36bcb
Instruction ID: 384f912d272b4260ce6647424f884636cc2d1d3d963c9ee70466c5e91b65cded
Opcode Fuzzy Hash: 64a2a5550402aa33fc6baea15d5b0e655df508a984a6febe2782d9e618e36bcb
Instruction Fuzzy Hash: 5671A0B5A13200AEC784DFBDB965655BBE4BBA83483548EABD40AC7362FF384440CF54

Function 00B6C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B03A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B6C259
KillTimer.USER32(?,00000001,?,?), ref: 00B6C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B6C270

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 9e70032d07fe05477318ee1e00ad82bcd991736ebd3a225e240223353385f1c3
Instruction ID: bb1e3321435cefd5fd7e97e1454f1ef3e8b933f551887ec6ba0010904eb584a1
Opcode Fuzzy Hash: 9e70032d07fe05477318ee1e00ad82bcd991736ebd3a225e240223353385f1c3
Instruction Fuzzy Hash: AE317370904354AFEB229F6488A5BE7BFECAF06704F0444DAD6DEA7241C7785A84CB51

Function 00B386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00B385CC,?,00BC8CC8,0000000C), ref: 00B38704
GetLastError.KERNEL32(?,00B385CC,?,00BC8CC8,0000000C), ref: 00B3870E
__dosmaperr.LIBCMT ref: 00B38739

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: a1dc5b818574ad6041639a3c218d584449f52e59efcc255a3603c5e2bccaef96
Instruction ID: eea9a92e8652d75a80c1ed660dabb637c750438d553ba3010f45539a41a5132c
Opcode Fuzzy Hash: a1dc5b818574ad6041639a3c218d584449f52e59efcc255a3603c5e2bccaef96
Instruction Fuzzy Hash: 76014932A0572067D7346334A947B7E7BDACB92774F3901DAF81A8B1D2DEB0CC818196

Function 00B0DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00B0DB7B
DispatchMessageW.USER32(?), ref: 00B0DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0DB9F
Sleep.KERNELBASE(0000000A), ref: 00B0DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00B51CC9

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 34e50c50cccf0fe362bde3e09bd759aa1e31efaf56e5e2bd36e79a8bcad5e8a3
Instruction ID: c01fcc64c54cbde60af1520fcd2ae0c30fafd00e9700886c3e9aff2dcc410a4e
Opcode Fuzzy Hash: 34e50c50cccf0fe362bde3e09bd759aa1e31efaf56e5e2bd36e79a8bcad5e8a3
Instruction Fuzzy Hash: A7F054306043409BE730C7A48D85FEA77ECEB44311F504995E619870D0DB349448DB25

Function 00B11310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B117F6

Strings

CALL, xrefs: 00B117C6

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 551aa0ad265a608967ca018f8dc9fa5ed042b1eee5706697e53a484a7a63e75d
Instruction ID: af1955c319c4e24add763c820fef7a5fe3c673f493ad3fed23f5d46d8d99a981
Opcode Fuzzy Hash: 551aa0ad265a608967ca018f8dc9fa5ed042b1eee5706697e53a484a7a63e75d
Instruction Fuzzy Hash: F6228B706082019FC714DF18C490B6ABBF1FF99314F9489ADF9968B3A1D731E985CB92

Function 00B02DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00B42C8C

Part of subcall function 00B03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B03A97,?,?,00B02E7F,?,?,?,00000000), ref: 00B03AC2

Part of subcall function 00B02DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B02DC4

Strings

X, xrefs: 00B42C5A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: bb74d3684e5de47c9112bf4a3335bd211afb07b52babfc9554c21bd77727acc4
Instruction ID: b3266be7be2d5e2839259c3254f0f0c63348f3ef2c1475168a27f7a8fa508792
Opcode Fuzzy Hash: bb74d3684e5de47c9112bf4a3335bd211afb07b52babfc9554c21bd77727acc4
Instruction Fuzzy Hash: 2D219371A00258AFDB05EF94C849BEE7BFCAF49714F00409AE505A7281DFB49A8D8B61

Function 00B03837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B03908

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 872f1a049998dcdc2d052abc3b8d1532e78dc04d04c0385481d6679228a8d8f1
Instruction ID: ae31d533037ed47c5d659afdcd61191983aad0503a911b8b4b754d44d7d45a2e
Opcode Fuzzy Hash: 872f1a049998dcdc2d052abc3b8d1532e78dc04d04c0385481d6679228a8d8f1
Instruction Fuzzy Hash: 1931A770605701EFD720DF24D898797BBE8FB49718F0009AFF59A83290EB71AA44CB56

Function 00B1F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B1F661

Part of subcall function 00B0D730: GetInputState.USER32 ref: 00B0D807

Sleep.KERNEL32(00000000), ref: 00B5F2DE

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d06c293aaee61f47400e617c9549259cd264b71733f8ae75c1a6be77046e56bf
Instruction ID: 57b76df67afb687914abffd6d2372644ef31de5127195548ed564526c8445115
Opcode Fuzzy Hash: d06c293aaee61f47400e617c9549259cd264b71733f8ae75c1a6be77046e56bf
Instruction Fuzzy Hash: 48F08C312402059FD310EF69D959F6ABBE8FF59761F0000AAE85DC73A1DB70AC00CB90

Function 00B04ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B04E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B04EDD,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E9C
Part of subcall function 00B04E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B04EAE
Part of subcall function 00B04E90: FreeLibrary.KERNEL32(00000000,?,?,00B04EDD,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04EFD

Part of subcall function 00B04E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B43CDE,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E62
Part of subcall function 00B04E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B04E74
Part of subcall function 00B04E59: FreeLibrary.KERNEL32(00000000,?,?,00B43CDE,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E87

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: b6dd3b09282fcf7cc057999bd2b48d0699a949437b6d64f4a0f910998fc04e19
Instruction ID: ed2ff3f6bf27b964110eccb3eccd0754e2b473a198e7f88ccf5254328f48fec9
Opcode Fuzzy Hash: b6dd3b09282fcf7cc057999bd2b48d0699a949437b6d64f4a0f910998fc04e19
Instruction Fuzzy Hash: 4311E771610306AADF24BB60DC42FED7BE5AF40B11F2084ADF656A61D2EFB09A059B50

Function 00B38402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B38440

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b39841514df3b22cafd6982922fc3982d99cc324e913327bc4494cd200c96ad1
Instruction ID: d20fd6ac125feb91b029e0c94ed49c077a20f543a154e67207a38f0ae1afe9bd
Opcode Fuzzy Hash: b39841514df3b22cafd6982922fc3982d99cc324e913327bc4494cd200c96ad1
Instruction Fuzzy Hash: 9C112A7590420AAFCF15DF58E94199E7BF5EF48314F104099FC08AB312DB31EA11CBA5

Function 00B2E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 57f0992646c1725eb15509571e5688c14c3c28994a312d62806ba6dacf9b15c7
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D0F0F432510A3096C6323A6ABC05B5A33D8DF52331F2007E5F438962D2DB74E80186A6

Function 00B33820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6,?,00B01129), ref: 00B33852

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25883fe872b88fe502f4ce5468cfbe994b864aedc3a4a11be891539a96114130
Instruction ID: 88479147b0f2bdb61a102894d5e84026db470cebdb62594449ff1c806eea4bfe
Opcode Fuzzy Hash: 25883fe872b88fe502f4ce5468cfbe994b864aedc3a4a11be891539a96114130
Instruction Fuzzy Hash: 79E0E531101234A6E6212A66AC00B9B37C8EF42FB0F3500B1BD08A28A0EF10DD0183E4

Function 00B04F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04F6D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5c574e05d34d9b7028a901f1983db13b000c1f2a6bc30af54d8da84be583fe3a
Instruction ID: 0b76e03610ce683d5369142bf6cc858722b72d4cda7721f4d9ec63e8e5da555a
Opcode Fuzzy Hash: 5c574e05d34d9b7028a901f1983db13b000c1f2a6bc30af54d8da84be583fe3a
Instruction Fuzzy Hash: 8EF015B1105752CFDB349F64E490822BBE4EF1432932089AEE3EE92661CB319884DB10

Function 00B92A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B92A66

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 24be550faac2f4736a752c1cc2429c4307bd166afd68671c292f7c9c8f3a7da2
Instruction ID: d6e0be4ff6486c9b473d554b8482e69c107e612e162b5806543c2b5058cd2c88
Opcode Fuzzy Hash: 24be550faac2f4736a752c1cc2429c4307bd166afd68671c292f7c9c8f3a7da2
Instruction Fuzzy Hash: 46E04F77754116BACB14EB34DC808FA77DCEB6039571045B6EC2AD2140DB34999586B0

Function 00B030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B0314E

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 5974d0ab7eef1cd67935ecd3945b417fab19b27bd9876faafe07607376d2e82e
Instruction ID: 418b57dd32ca412c29d61d0ae72b48eea9d14874539368e9b3faa529a161f608
Opcode Fuzzy Hash: 5974d0ab7eef1cd67935ecd3945b417fab19b27bd9876faafe07607376d2e82e
Instruction Fuzzy Hash: DBF03770A14314BFEB52DB28DC497D5BBFCA705708F0000E6A54897291EB745788CF55

Function 00B02DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B02DC4

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 2fafb7ea477e0f656da037a0401057494f8aae90b735a6756e571072782af778
Instruction ID: 033b96e54742bfaff469dbaa2a8314b095dda8731749367045838a83be295924
Opcode Fuzzy Hash: 2fafb7ea477e0f656da037a0401057494f8aae90b735a6756e571072782af778
Instruction Fuzzy Hash: 6EE0CD72A001245BC710D7589C06FDA77DDDFC8790F0400B1FD09D7248DD60AD848550

Function 00B02B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B03837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B03908

Part of subcall function 00B0D730: GetInputState.USER32 ref: 00B0D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00B02B6B

Part of subcall function 00B030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B0314E

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 1ece1f2157014d62539145572375d222d17d2e6d80424ec09bfe68b5d3b31040
Instruction ID: bf2c5542b5403e1fbe467e4fa0ced64724bf5bf3dd2bebf389be1e0af0f11a56
Opcode Fuzzy Hash: 1ece1f2157014d62539145572375d222d17d2e6d80424ec09bfe68b5d3b31040
Instruction Fuzzy Hash: 7AE0862230424417C604BB74985A57DFFDD9BD1751F4059FFF142432E3DE2549494751

Function 00B4039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B40704,?,?,00000000,?,00B40704,00000000,0000000C), ref: 00B403B7

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a361ca0bd8d5bd97374ad879cbdb137a6fa89b30286adf9de36bc9cf21e2e3f
Instruction ID: f98dc9624604ee4e51592e429f2e1b766fcb9569bac019ffaad25cef321f951a
Opcode Fuzzy Hash: 9a361ca0bd8d5bd97374ad879cbdb137a6fa89b30286adf9de36bc9cf21e2e3f
Instruction Fuzzy Hash: 4AD06C3204010DBBDF028F84DD06EDA3FAAFB48714F014000BE1866020C732E821ABA4

Function 00B01CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B01CBC

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: c6f578b2a5e7521da12698376b18a013151302943809928c702aa4da1622f5d9
Instruction ID: 0bbf5f35545081632cd372ceb1d47292128b686d78f6049c5aee52ab083576a5
Opcode Fuzzy Hash: c6f578b2a5e7521da12698376b18a013151302943809928c702aa4da1622f5d9
Instruction Fuzzy Hash: 20C09B35281304BFF2144784BD5BF10BB54A368B14F544403F609575E3DBA11410D654

Non-executed Functions

Function 00B99576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B9961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B9965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B9969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B996C9
SendMessageW.USER32 ref: 00B996F2
GetKeyState.USER32(00000011), ref: 00B9978B
GetKeyState.USER32(00000009), ref: 00B99798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B997AE
GetKeyState.USER32(00000010), ref: 00B997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B997E9
SendMessageW.USER32 ref: 00B99810
SendMessageW.USER32(?,00001030,?,00B97E95), ref: 00B99918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B9992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B99941
SetCapture.USER32(?), ref: 00B9994A
ClientToScreen.USER32(?,?), ref: 00B999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B999D6
ReleaseCapture.USER32 ref: 00B999E1
GetCursorPos.USER32(?), ref: 00B99A19
ScreenToClient.USER32(?,?), ref: 00B99A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B99A80
SendMessageW.USER32 ref: 00B99AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B99AEB
SendMessageW.USER32 ref: 00B99B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B99B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B99B4A
GetCursorPos.USER32(?), ref: 00B99B68
ScreenToClient.USER32(?,?), ref: 00B99B75
GetParent.USER32(?), ref: 00B99B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B99BFA
SendMessageW.USER32 ref: 00B99C2B
ClientToScreen.USER32(?,?), ref: 00B99C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B99CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B99CDE
SendMessageW.USER32 ref: 00B99D01
ClientToScreen.USER32(?,?), ref: 00B99D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B99D82

Part of subcall function 00B19944: GetWindowLongW.USER32(?,000000EB), ref: 00B19952

GetWindowLongW.USER32(?,000000F0), ref: 00B99E05

Strings

@GUI_DRAGID, xrefs: 00B9997D
F, xrefs: 00B99D07

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 8fc09742d9d9722d1599f472e70d78f9c22554ee809272a01f729286bc300959
Instruction ID: b838dee1b642d91244b0ae3bb3733278679c2fec839c0d9ffc7ca7920f2e626b
Opcode Fuzzy Hash: 8fc09742d9d9722d1599f472e70d78f9c22554ee809272a01f729286bc300959
Instruction Fuzzy Hash: 2442AF31204241AFDB64CF68CD94EAABBE5FF49310F104AAEF559872A1DB31E891CF51

Function 00B94873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00B948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00B94908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00B94927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00B9494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00B9495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00B9497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00B949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00B949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00B94A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B94A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B94A7E
IsMenu.USER32(?), ref: 00B94A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B94AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B94B20
GetWindowLongW.USER32(?,000000F0), ref: 00B94B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00B94BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00B94C82
wsprintfW.USER32 ref: 00B94CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B94CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00B94CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B94D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B94D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00B94D5A

Strings

%d/%02d/%02d, xrefs: 00B94CA8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 25913ba506b541b1d491e20a73b6ec952637532e621fd0edaf7ef5eb387a59c6
Instruction ID: 121c93146cc49ea249d1f2efd5f586873e0e94cd479d1df45fde8cea24f23f6f
Opcode Fuzzy Hash: 25913ba506b541b1d491e20a73b6ec952637532e621fd0edaf7ef5eb387a59c6
Instruction Fuzzy Hash: 4312D071600215ABEF248F28CD49FAE7BF8EF45710F1441AAF51AEB2E1DB749942CB50

Function 00B1F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B1F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B5F474
IsIconic.USER32(00000000), ref: 00B5F47D
ShowWindow.USER32(00000000,00000009), ref: 00B5F48A
SetForegroundWindow.USER32(00000000), ref: 00B5F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B5F4AA
GetCurrentThreadId.KERNEL32 ref: 00B5F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B5F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B5F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B5F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00B5F4DE
SetForegroundWindow.USER32(00000000), ref: 00B5F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5F4F6
keybd_event.USER32(00000012,00000000), ref: 00B5F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5F50B
keybd_event.USER32(00000012,00000000), ref: 00B5F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5F519
keybd_event.USER32(00000012,00000000), ref: 00B5F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5F528
keybd_event.USER32(00000012,00000000), ref: 00B5F52D
SetForegroundWindow.USER32(00000000), ref: 00B5F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00B5F557

Strings

Shell_TrayWnd, xrefs: 00B5F46F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9d46f60a163dc9287bc3cdbed417987aeed13b3a9c98656e0f1c1f329e2a3473
Instruction ID: 7bc89c643c0203d6dbd65a32ca5e2a4af55c1a00e790c91c2dc7f1f7713a4886
Opcode Fuzzy Hash: 9d46f60a163dc9287bc3cdbed417987aeed13b3a9c98656e0f1c1f329e2a3473
Instruction Fuzzy Hash: 62317271A40318BBEB206BB55D4AFBF7EACEB44B51F1104A6FA04E71D1DBB15D00AA60

Function 00B61201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00B616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6170D
Part of subcall function 00B616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B6173A
Part of subcall function 00B616C3: GetLastError.KERNEL32 ref: 00B6174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00B61286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00B612A8
CloseHandle.KERNEL32(?), ref: 00B612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B612D1
GetProcessWindowStation.USER32 ref: 00B612EA
SetProcessWindowStation.USER32(00000000), ref: 00B612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B61310

Part of subcall function 00B610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B611FC), ref: 00B610D4
Part of subcall function 00B610BF: CloseHandle.KERNEL32(?,?,00B611FC), ref: 00B610E9

Strings

default, xrefs: 00B6130B
winsta0, xrefs: 00B612CC
, xrefs: 00B6125A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: cf071eef4deb44744114e33832513c16795db73041b0f7425bafe827b697ca97
Instruction ID: 47b236bd2fc45815d2c5747f144421296bdf20f0865acbbda609c23a7457eee4
Opcode Fuzzy Hash: cf071eef4deb44744114e33832513c16795db73041b0f7425bafe827b697ca97
Instruction Fuzzy Hash: E5818D71900209ABDF109FA8DD49BEE7BF9EF04704F1845AAF910B72A0DB798944CF21

Function 00B60B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B61114
Part of subcall function 00B610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61120
Part of subcall function 00B610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B6112F
Part of subcall function 00B610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61136
Part of subcall function 00B610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B60BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B60C00
GetLengthSid.ADVAPI32(?), ref: 00B60C17
GetAce.ADVAPI32(?,00000000,?), ref: 00B60C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B60C6D
GetLengthSid.ADVAPI32(?), ref: 00B60C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B60C8C
HeapAlloc.KERNEL32(00000000), ref: 00B60C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B60CB4
CopySid.ADVAPI32(00000000), ref: 00B60CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B60CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B60D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B60D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60D45
HeapFree.KERNEL32(00000000), ref: 00B60D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60D55
HeapFree.KERNEL32(00000000), ref: 00B60D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60D65
HeapFree.KERNEL32(00000000), ref: 00B60D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B60D78
HeapFree.KERNEL32(00000000), ref: 00B60D7F

Part of subcall function 00B61193: GetProcessHeap.KERNEL32(00000008,00B60BB1,?,00000000,?,00B60BB1,?), ref: 00B611A1
Part of subcall function 00B61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B60BB1,?), ref: 00B611A8
Part of subcall function 00B61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B60BB1,?), ref: 00B611B7

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 436e4c198fc412dc1521fd96a96b55faa984b34cd0c5a24afd8722d5eca2158d
Instruction ID: 5a2d901e54ebc50bb409dee0d83ad95b0df491af014a0505bc7c839525db8b69
Opcode Fuzzy Hash: 436e4c198fc412dc1521fd96a96b55faa984b34cd0c5a24afd8722d5eca2158d
Instruction Fuzzy Hash: 8C717C7290021AAFDF10EFA5DD44FAFBBB8FF05300F1446A5E914A7191DB75A905CB60

Function 00B7EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B9CC08), ref: 00B7EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B7EB37
GetClipboardData.USER32(0000000D), ref: 00B7EB43
CloseClipboard.USER32 ref: 00B7EB4F
GlobalLock.KERNEL32(00000000), ref: 00B7EB87
CloseClipboard.USER32 ref: 00B7EB91
GlobalUnlock.KERNEL32(00000000), ref: 00B7EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00B7EBC9
GetClipboardData.USER32(00000001), ref: 00B7EBD1
GlobalLock.KERNEL32(00000000), ref: 00B7EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00B7EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00B7EC38
GetClipboardData.USER32(0000000F), ref: 00B7EC44
GlobalLock.KERNEL32(00000000), ref: 00B7EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00B7EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B7EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B7ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00B7ECF3
CountClipboardFormats.USER32 ref: 00B7ED14
CloseClipboard.USER32 ref: 00B7ED59

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f0d2f09925a67e4b5df07052433427573d54a3c15fc14d613e509b847a698855
Instruction ID: 15cab051d7a7011437e8d31a746479c8785a56e91e621fcbc40a070c2ebe2e06
Opcode Fuzzy Hash: f0d2f09925a67e4b5df07052433427573d54a3c15fc14d613e509b847a698855
Instruction Fuzzy Hash: 6E61BF34204201AFD310EF24D985F2A7FE4EF88714F1485DAF46A972A2DF31D905CBA2

Function 00B7698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B769BE
FindClose.KERNEL32(00000000), ref: 00B76A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B76A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B76A75

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00B76AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B76ADF

Strings

%02d, xrefs: 00B76C00, 00B76C0A, 00B76C5A, 00B76CAA, 00B76CFA, 00B76D4A
%4d, xrefs: 00B76BB1
%03d, xrefs: 00B76DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00B76B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00B76B32

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: b0be3e56fa0747383a505df3cf79cf40da00bcb65685304247ab0ad6a3120557
Instruction ID: 15ed826d91b00fb25c5bbbda8ceeb13b23a56d9b9ee07448bd1b6d0bc611d6f5
Opcode Fuzzy Hash: b0be3e56fa0747383a505df3cf79cf40da00bcb65685304247ab0ad6a3120557
Instruction Fuzzy Hash: 7DD16371508341AFC310EBA4C882EABBBECEF88704F44499DF599D7191EB34DA44CB62

Function 00B79642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00B79663
GetFileAttributesW.KERNEL32(?), ref: 00B796A1
SetFileAttributesW.KERNEL32(?,?), ref: 00B796BB
FindNextFileW.KERNEL32(00000000,?), ref: 00B796D3
FindClose.KERNEL32(00000000), ref: 00B796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00B796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00B7974A
SetCurrentDirectoryW.KERNEL32(00BC6B7C), ref: 00B79768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B79772
FindClose.KERNEL32(00000000), ref: 00B7977F
FindClose.KERNEL32(00000000), ref: 00B7978F

Strings

*.*, xrefs: 00B796F5

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fbdd810d3ad6b7eaddc059981a641f89f100b5a3cab700f6bc1a9bd2dafdad4e
Instruction ID: 9528d42073023db67dfe5871efa4023c58ea9664d0d90d00338574d662d053d3
Opcode Fuzzy Hash: fbdd810d3ad6b7eaddc059981a641f89f100b5a3cab700f6bc1a9bd2dafdad4e
Instruction Fuzzy Hash: F631A2325412196ADB28EFB4ED49EDE7BECDF09320F1081D6E829E31A0DB30DD448A64

Function 00B7979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00B797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00B79819
FindClose.KERNEL32(00000000), ref: 00B79824
FindFirstFileW.KERNEL32(*.*,?), ref: 00B79840
SetCurrentDirectoryW.KERNEL32(?), ref: 00B79890
SetCurrentDirectoryW.KERNEL32(00BC6B7C), ref: 00B798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B798B8
FindClose.KERNEL32(00000000), ref: 00B798C5
FindClose.KERNEL32(00000000), ref: 00B798D5

Part of subcall function 00B6DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B6DB00

Strings

*.*, xrefs: 00B7983B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: dc87a492dd8af81882bde57d334c16c46e868cad7f335379a0c6148a69d67f00
Instruction ID: 28c8c2848c6b6536229ccc01d5a7471cb2c3da9224cf0d192d87ffa47317ae14
Opcode Fuzzy Hash: dc87a492dd8af81882bde57d334c16c46e868cad7f335379a0c6148a69d67f00
Instruction Fuzzy Hash: 63319331541619AADB24EFB4EC49EDE77FCDF06360F1481D6E828A31E0DB30DD448A65

Function 00B8BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8B6AE,?,?), ref: 00B8C9B5
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8C9F1
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA68
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00B8BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00B8BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B8C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B8C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B8C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B8C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00B8C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B8C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B8C382
RegCloseKey.ADVAPI32(00000000), ref: 00B8C38F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: da42300a44a752cbde2a657a4535e39ecce1e48971ba4e07a1870980f439f861
Instruction ID: fd1611c9d9e7e0529d31ea6746e3243257cacdf5a3221f841bdd5e03ab4982f9
Opcode Fuzzy Hash: da42300a44a752cbde2a657a4535e39ecce1e48971ba4e07a1870980f439f861
Instruction Fuzzy Hash: 07023EB16042009FD714DF28C895E2ABBE5EF49314F18C59DF84ADB2A2DB31ED46CB61

Function 00B78195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B78257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B78267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B78273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B78310
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78324
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B7838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78395

Strings

*.*, xrefs: 00B7839B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 13648d234d96089736664e04b04e2907d67cbfc6f5f345a555786b18ff3db25c
Instruction ID: be77f013e5c4df7ff24197a2593b3036f2083e037babe9524ac7970aad5b1480
Opcode Fuzzy Hash: 13648d234d96089736664e04b04e2907d67cbfc6f5f345a555786b18ff3db25c
Instruction Fuzzy Hash: 88617AB25083059FCB10EF64C8849AEB7E8FF89314F04899EF999D7251DB31E945CB92

Function 00B6D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B03A97,?,?,00B02E7F,?,?,?,00000000), ref: 00B03AC2

Part of subcall function 00B6E199: GetFileAttributesW.KERNEL32(?,00B6CF95), ref: 00B6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00B6D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00B6D1DD
MoveFileW.KERNEL32(?,?), ref: 00B6D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B6D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B6D237

Part of subcall function 00B6D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00B6D21C,?,?), ref: 00B6D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00B6D253
FindClose.KERNEL32(00000000), ref: 00B6D264

Strings

\*.*, xrefs: 00B6D0CD, 00B6D0D6, 00B6D0EB

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: baf631d3afb1da7c085a914c4091a62cec3d6eb3cf1b85584fca409e6ae9dbb3
Instruction ID: 4eaff6efb94e0621e259d055c620885e1afdddeeace14291651857107bf393d5
Opcode Fuzzy Hash: baf631d3afb1da7c085a914c4091a62cec3d6eb3cf1b85584fca409e6ae9dbb3
Instruction Fuzzy Hash: 2B614D31D0124D9FCF15EBA0CA929EEBBF9AF55340F2481A5E40177192EB34AF09DB61

Function 00B7ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B7ED91
EmptyClipboard.USER32 ref: 00B7ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00B7EDAC
CloseClipboard.USER32 ref: 00B7EEA3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c89d914856fc85930c388f39665fcfc09021a6e7955253be3ab7d97c374cd594
Instruction ID: 40a4c5fd815de2445da0481b5dee1b85fb522b04d9c1d1cd48d2583be2b6a028
Opcode Fuzzy Hash: c89d914856fc85930c388f39665fcfc09021a6e7955253be3ab7d97c374cd594
Instruction Fuzzy Hash: CD418E35604611AFD720DF15E888B19BFE5EF48328F14C4DAE4298B6A2CB35EC41CB90

Function 00B6E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6170D
Part of subcall function 00B616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B6173A
Part of subcall function 00B616C3: GetLastError.KERNEL32 ref: 00B6174A

ExitWindowsEx.USER32(?,00000000), ref: 00B6E932

Strings

, xrefs: 00B6E95C
@, xrefs: 00B6E925
, xrefs: 00B6E920
SeShutdownPrivilege, xrefs: 00B6E902

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 52fe72d0213b1e858fd3157823f3f80c77e8f92063b97944236fdb4db8a600d0
Instruction ID: f92bd16bbebd538187eba42b7ad5d6565432ca625a0acca56a6536a95d339476
Opcode Fuzzy Hash: 52fe72d0213b1e858fd3157823f3f80c77e8f92063b97944236fdb4db8a600d0
Instruction Fuzzy Hash: 0D012B36610210ABFB1426749C8AFBB73ECDF14740F1508A2F822E31D1DAB99C4083A0

Function 00B81204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B81276
WSAGetLastError.WSOCK32 ref: 00B81283
bind.WSOCK32(00000000,?,00000010), ref: 00B812BA
WSAGetLastError.WSOCK32 ref: 00B812C5
closesocket.WSOCK32(00000000), ref: 00B812F4
listen.WSOCK32(00000000,00000005), ref: 00B81303
WSAGetLastError.WSOCK32 ref: 00B8130D
closesocket.WSOCK32(00000000), ref: 00B8133C

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 4c3bcb1bcef9720a7be89d55cc4f6f8be45eefc821bbb0a917b0f2ae60e47703
Instruction ID: 9805c28f3e2ef23f8e05eb0718695904b3ae2eb75be804fd1aa13d980e278fb7
Opcode Fuzzy Hash: 4c3bcb1bcef9720a7be89d55cc4f6f8be45eefc821bbb0a917b0f2ae60e47703
Instruction Fuzzy Hash: F84181316011009FD710EF68C5C4B69BBE5EF46318F1885C9D8569F2E6C771ED86CBA1

Function 00B3B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3B9D4
_free.LIBCMT ref: 00B3B9F8
_free.LIBCMT ref: 00B3BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BA3700), ref: 00B3BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00BD121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B3BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00BD1270,000000FF,?,0000003F,00000000,?), ref: 00B3BC36
_free.LIBCMT ref: 00B3BD4B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 7ba1003a08317ae15874d3cb3564c3b3b7ab6a12fa07788be5407ba7601d2714
Instruction ID: 900c827b64dc2bee07a59096d9c5dcf0a6b4a4b08b8d90c076deb95fd83a4179
Opcode Fuzzy Hash: 7ba1003a08317ae15874d3cb3564c3b3b7ab6a12fa07788be5407ba7601d2714
Instruction Fuzzy Hash: A0C11371A04208AFCB24DF689C51FAABBE8EF45310F3445EAE694D7259EF319E41C750

Function 00B6D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B03A97,?,?,00B02E7F,?,?,?,00000000), ref: 00B03AC2

Part of subcall function 00B6E199: GetFileAttributesW.KERNEL32(?,00B6CF95), ref: 00B6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00B6D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B6D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B6D481
FindClose.KERNEL32(00000000), ref: 00B6D498
FindClose.KERNEL32(00000000), ref: 00B6D4A1

Strings

\*.*, xrefs: 00B6D3F2

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c28d6ac7e7d1afe836c0935085ba13623c2028e756ec0eb919aab5d9563a63e8
Instruction ID: 91677ac8de408e3fd63e5ee2222b491b64c09fc7a1e4b5081ef0d6ef66755e20
Opcode Fuzzy Hash: c28d6ac7e7d1afe836c0935085ba13623c2028e756ec0eb919aab5d9563a63e8
Instruction Fuzzy Hash: FB316D315183459FC204EF64C8959AFBBE8AE92340F444E9EF4D1932D1EF34AE098B62

Function 00B3E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B3E645

Strings

1#QNAN, xrefs: 00B3F84B
1#SNAN, xrefs: 00B3F844
1#IND, xrefs: 00B3F83D
1#INF, xrefs: 00B3F852

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 824e569cf8b34866068799c06da4e083fa4be2785bbcb639460e479880943cad
Instruction ID: 35f7b0053496d21c00f73a9cf20e22c0a016975a798247468270cfe7a9cad69f
Opcode Fuzzy Hash: 824e569cf8b34866068799c06da4e083fa4be2785bbcb639460e479880943cad
Instruction Fuzzy Hash: 88C23A71E086298FDB25CE28DD807EAB7F5EB48304F2541EAD45DE7281E774AE858F40

Function 00B7648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B764DC
CoInitialize.OLE32(00000000), ref: 00B76639
CoCreateInstance.OLE32(00B9FCF8,00000000,00000001,00B9FB68,?), ref: 00B76650
CoUninitialize.OLE32 ref: 00B768D4

Strings

.lnk, xrefs: 00B764BA, 00B76524, 00B765E0

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 6facb5bf12b251d574e5bec0d7fb6cc67aa2be575bbd3bc2499f3b1276446839
Instruction ID: c6363f52e3b6d672da95a2e14ace3335e2aa5292ce4c264549b91dc26818325d
Opcode Fuzzy Hash: 6facb5bf12b251d574e5bec0d7fb6cc67aa2be575bbd3bc2499f3b1276446839
Instruction Fuzzy Hash: 56D14A715087019FC314EF24C88196BBBE9FF94704F0089ADF5998B2A1EB70ED09CB92

Function 00B822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00B822E8

Part of subcall function 00B7E4EC: GetWindowRect.USER32(?,?), ref: 00B7E504

GetDesktopWindow.USER32 ref: 00B82312
GetWindowRect.USER32(00000000), ref: 00B82319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00B82355
GetCursorPos.USER32(?), ref: 00B82381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B823DF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9b0ca28260705c7f11352fcded7523c33909e29648c920d2192a1ae8137d3393
Instruction ID: 5b669bc3604c12a79e9f4f18d627130cac87c745f01354e405016a621a53560a
Opcode Fuzzy Hash: 9b0ca28260705c7f11352fcded7523c33909e29648c920d2192a1ae8137d3393
Instruction Fuzzy Hash: 2E31E072504315AFCB20EF54D849B5BBBE9FF88310F00095AF999A7191DB34EA08CB96

Function 00B79B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00B79B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B79C8B

Part of subcall function 00B73874: GetInputState.USER32 ref: 00B738CB
Part of subcall function 00B73874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B73966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B79BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B79C75

Strings

*.*, xrefs: 00B79B5D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4516f6d3fea3e7e95efd65683312f8e519f6e00b1a4b9d57e88952ff0b4b62aa
Instruction ID: 4525ad2bbea6e3e3bc41201d8b843a78f764ec30070c3d23647f53a6f754a0da
Opcode Fuzzy Hash: 4516f6d3fea3e7e95efd65683312f8e519f6e00b1a4b9d57e88952ff0b4b62aa
Instruction Fuzzy Hash: 26413171904209AFDF15DF64C985AEEBBF8EF05350F248196E419A3291DB309E84CF65

Function 00B1997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B19A4E
GetSysColor.USER32(0000000F), ref: 00B19B23
SetBkColor.GDI32(?,00000000), ref: 00B19B36

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: b39ee8e50ba5c7b94245f67535785b42d0e68dcaf9fa0dfd705220f601589715
Instruction ID: 9b8a6cb03ebcb52628ced1850b0d33118c66e53435eac3e53c40ce35529c3531
Opcode Fuzzy Hash: b39ee8e50ba5c7b94245f67535785b42d0e68dcaf9fa0dfd705220f601589715
Instruction Fuzzy Hash: C4A13970318484BEE729AA2CACF8EFB2ADDDF46741F5401D9F802C7691DE259D89C271

Function 00B81806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B8307A
Part of subcall function 00B8304E: _wcslen.LIBCMT ref: 00B8309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B8185D
WSAGetLastError.WSOCK32 ref: 00B81884
bind.WSOCK32(00000000,?,00000010), ref: 00B818DB
WSAGetLastError.WSOCK32 ref: 00B818E6
closesocket.WSOCK32(00000000), ref: 00B81915

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: da92464f375b73886a6ff7a31a3c22a668cfd55bf95d5d6b486babbd378ca73e
Instruction ID: f8c3aeae7db3c69a750c6ad44920ca534637300f4f16da7e4b5812d51d1e8d06
Opcode Fuzzy Hash: da92464f375b73886a6ff7a31a3c22a668cfd55bf95d5d6b486babbd378ca73e
Instruction Fuzzy Hash: 95518171A002109FD710AF28C886F6A7BE5EB44718F5485D8F9095F3D3DB71AD82CBA1

Function 00B91C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B91CC0
IsWindowEnabled.USER32 ref: 00B91CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00B91CDB
IsIconic.USER32 ref: 00B91CE9
IsZoomed.USER32 ref: 00B91CF7

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 69c915dc84daf66c30ec0ab3220360cf694c3ca8afd22d2342e7ff4d66cc975d
Instruction ID: 1df74a89638af84727ff44751f04f249ca62786ffdd91c11ffb4f14f88bff762
Opcode Fuzzy Hash: 69c915dc84daf66c30ec0ab3220360cf694c3ca8afd22d2342e7ff4d66cc975d
Instruction Fuzzy Hash: 912171317402125FDB208F2AD884B6A7FE5EF95315B1984B9E84A8F351CB71DC42DB90

Function 00B08060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00B083FA
VUUU, xrefs: 00B083E8
VUUU, xrefs: 00B45DF0
VUUU, xrefs: 00B0843C
ERCP, xrefs: 00B0813C

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 250a155ee9a7ee83a2cc7e5f6371dcc49c428f17d3627c730e2d34f881efa066
Instruction ID: 52e7d8921268eac05f74b9e1e6f4b2790e3e09e8f76ae26fa71d6a19293c5e54
Opcode Fuzzy Hash: 250a155ee9a7ee83a2cc7e5f6371dcc49c428f17d3627c730e2d34f881efa066
Instruction Fuzzy Hash: B4A24B70A0061ACBDF24CF58C8807AEBBF1FB55310F2481EAE855A7285DB719F81DB91

Function 00B6AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00B6AAAC
SetKeyboardState.USER32(00000080), ref: 00B6AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00B6AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00B6AB88

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b42ddd25dfe9325a979d764ada8518e06eedec619eb38ed7e0da6643d3cbd03d
Instruction ID: e6736e4dad66ea814529da6c73e50ef820575c5a6ccdd5db3518a7096bb1237d
Opcode Fuzzy Hash: b42ddd25dfe9325a979d764ada8518e06eedec619eb38ed7e0da6643d3cbd03d
Instruction Fuzzy Hash: D6310530A40208AEEF35DA658C45BFE7BEAEB45310F08429BE581A61D1D77D8D85CB62

Function 00B7CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00B7CE89
GetLastError.KERNEL32(?,00000000), ref: 00B7CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00B7CEFE

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 74c8e7d45d3da7e175380211ad1d2c55acce6db099c34bff6de21e0bb20bb658
Instruction ID: e7e542c5f64b443aa5e588a83d965c5e29869e1bba0a737e70155dc7784edd2f
Opcode Fuzzy Hash: 74c8e7d45d3da7e175380211ad1d2c55acce6db099c34bff6de21e0bb20bb658
Instruction Fuzzy Hash: C721CF715007059FEB30DFA5D988BA77BFCEB00314F10849EE56AD2151EB74EE488B64

Function 00B68298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B682AA

Strings

(, xrefs: 00B682F0
|, xrefs: 00B682DA

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 0b3c3541413161a33a4d9cfea0364695524a1378916e332b912c521b3a0d3bbd
Instruction ID: 7691b221d958d7d9d322366d53c658f75edbe2411257885aeebb506ddb9e525a
Opcode Fuzzy Hash: 0b3c3541413161a33a4d9cfea0364695524a1378916e332b912c521b3a0d3bbd
Instruction Fuzzy Hash: 24323575A007059FCB28CF19C081A6AB7F0FF48710B15C5AEE49ADB3A1EB74E981CB44

Function 00B75C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B75CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00B75D17
FindClose.KERNEL32(?), ref: 00B75D5F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 2415812b72058d5b69951e17ac17d41ad375899225bdd799500125ff4a13069d
Instruction ID: 6c01ba2d556f47fa974f01bd2d2c6a6a811e4ef2705cdc2802f1d8764d4d891e
Opcode Fuzzy Hash: 2415812b72058d5b69951e17ac17d41ad375899225bdd799500125ff4a13069d
Instruction Fuzzy Hash: 51517A74604A019FC724DF28C494E9ABBE4FF49314F1485AEE96A8B3A1DB70FD44CB91

Function 00B32622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00B3271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B32724
UnhandledExceptionFilter.KERNEL32(?), ref: 00B32731

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 93158d75010296c521d01560a4f49815bbe5a34771130ea399fe4ad27cebbcc8
Instruction ID: 692044feec7c8e0a9d97903f0e82f26f4d929ed5a7fb0988382146a8d051f5d5
Opcode Fuzzy Hash: 93158d75010296c521d01560a4f49815bbe5a34771130ea399fe4ad27cebbcc8
Instruction Fuzzy Hash: D431B474951228ABCB21DF64DD89799BBF8BF08310F5041EAE41CA7261EB309F818F45

Function 00B751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B75238
SetErrorMode.KERNEL32(00000000), ref: 00B752A1

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5b8a2a12ee7c4f7407d864edc0f0a92d967a7167d52f786e3e4601e91cab5b0e
Instruction ID: 33570aeacdaaa48e2c0f9bb388653dbafffe70fd374c3c35dc5fe981525d6033
Opcode Fuzzy Hash: 5b8a2a12ee7c4f7407d864edc0f0a92d967a7167d52f786e3e4601e91cab5b0e
Instruction Fuzzy Hash: 16313E75A00518DFDB00DF54D884EADBBF4FF49314F098099E909AB3A2DB71E856CBA1

Function 00B616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B20668
Part of subcall function 00B1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B20685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B6173A
GetLastError.KERNEL32 ref: 00B6174A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: d78618e032ef2f928fc71449af372565471c17e8a918f8161707894f106b8858
Instruction ID: 90c23e4cb501ec3b7c9684ff7a1f7bcc8da6f55dbebba19d0342e1d1ad758a93
Opcode Fuzzy Hash: d78618e032ef2f928fc71449af372565471c17e8a918f8161707894f106b8858
Instruction Fuzzy Hash: 171191B2504305AFD7189F54ECC6DBABBF9FB44714B24856EE05697241EB70BC41CB24

Function 00B6D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B6D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00B6D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B6D650

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7b71d6566c4d3e9209e74c460b8a9f7284a3fdc9d72a850bfd53f7fbff6daf47
Instruction ID: 87236635cf72e4cef99097450d6e71110b8a12fc973f371da90a9cd3eb4dbffe
Opcode Fuzzy Hash: 7b71d6566c4d3e9209e74c460b8a9f7284a3fdc9d72a850bfd53f7fbff6daf47
Instruction Fuzzy Hash: C6115E75E05228BFDB108F95DD45FAFBFBCEB45B50F108166F904E7290D6704A058BA1

Function 00B61663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B6168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B616A1
FreeSid.ADVAPI32(?), ref: 00B616B1

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 362548dce6b632dff04c6d351baea68c8a2f813c7e801a22205b38619dc2a8da
Instruction ID: ffa3c4c608e16360fb68496882f25a2719b6d5916a4bab64a71dc99a8f4b48e6
Opcode Fuzzy Hash: 362548dce6b632dff04c6d351baea68c8a2f813c7e801a22205b38619dc2a8da
Instruction Fuzzy Hash: 13F0F475950309FBDB00DFE4DD89AAEBBBCEB08604F5049A5E501E2191E774AA448A50

Function 00B3C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00B3C36C

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 34c86f47f4630c232cf03f562b7b6be1e2cb0e30b21cb6e6f5d341f222876332
Instruction ID: fcc454e33243a448153d0b8340bca322796eba8feb518d63a865ef66db423e3f
Opcode Fuzzy Hash: 34c86f47f4630c232cf03f562b7b6be1e2cb0e30b21cb6e6f5d341f222876332
Instruction Fuzzy Hash: 4E412876500219AFCB249FF9DC49EAB7BF8EB84314F6042A9F915E7180E670AD418B54

Function 00B5D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B5D28C

Strings

X64, xrefs: 00B5D2A8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 19f2636643c5f90e3a304bae6539cf0a26706c476b81ea72bb6e9708e46ada4d
Instruction ID: 69faa81ba87532de38543a3df718bc01365ea00f955f5d34a2ce2e550a734bcf
Opcode Fuzzy Hash: 19f2636643c5f90e3a304bae6539cf0a26706c476b81ea72bb6e9708e46ada4d
Instruction Fuzzy Hash: 5DD0C9B480111DEECB90CB90DCC8DDDB7BCBB04305F100292F506A2000DB7096488F20

Function 00B2CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: bfd45df29a502ab5c5265a3b1886edc0c2d0fab16f104cdb785946c9aa80db27
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 70023D71E001299FDF14CFA9D9806ADFBF1EF48314F2582AAD819E7385D731AE458B84

Function 00B768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B76918
FindClose.KERNEL32(00000000), ref: 00B76961

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 43f24e8d1ffeaa26c2e8994307d8610c5424bbbcc61e9d2bbaf6ba9506c2c4c9
Instruction ID: 83d1a6de00622faad3102beb25f885d9997b22ea7f41efae417df27fd2b30656
Opcode Fuzzy Hash: 43f24e8d1ffeaa26c2e8994307d8610c5424bbbcc61e9d2bbaf6ba9506c2c4c9
Instruction Fuzzy Hash: 6F1190716046019FC710DF29D888A16BBE5FF89328F14C6D9E5698F6A2CB30EC45CB91

Function 00B737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B84891,?,?,00000035,?), ref: 00B737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00B84891,?,?,00000035,?), ref: 00B737F4

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0138629de2fcbae34ba8c536a206802c3ce2497ea1df3839ca9ed35c63412038
Instruction ID: 56ddac236a6668d60c9f54d4eb68de8aab68a69a7110419c00ec6d23c9eec8a1
Opcode Fuzzy Hash: 0138629de2fcbae34ba8c536a206802c3ce2497ea1df3839ca9ed35c63412038
Instruction Fuzzy Hash: 41F0E5B1A042286BEB2017668C8DFEB3BEEEFC4B61F0001A5F509D3281D9609D44C6B1

Function 00B6B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B6B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00B6B270

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 928d985c8c1fb843fee979e20fdd07ff3d7601f1a11484ddb413b6bf95d5b910
Instruction ID: f145a7e9517f70ad387e2bb19e510ffa8fa46b1bc708112418d3ed7a35562030
Opcode Fuzzy Hash: 928d985c8c1fb843fee979e20fdd07ff3d7601f1a11484ddb413b6bf95d5b910
Instruction Fuzzy Hash: EDF0177180428EABDB059FA0C806BAE7FB4FF08309F10805AF965A61A2D77D86519F94

Function 00B610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B611FC), ref: 00B610D4
CloseHandle.KERNEL32(?,?,00B611FC), ref: 00B610E9

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1cf74c01a5cceaf2434315e5d9331c94c14a5f508492a98408618b6967f1efdb
Instruction ID: eb27b705c1407faa0774c743da90b7ac48029e155cca20deb54004d3171749b5
Opcode Fuzzy Hash: 1cf74c01a5cceaf2434315e5d9331c94c14a5f508492a98408618b6967f1efdb
Instruction Fuzzy Hash: B6E04F32008601EFE7252B11FD05EB77BE9EB04310F14886EF5A5814B1DB626CE0DB14

Function 00B0CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00B50C40

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 21c86f8b71a88c6b78cf69df82f3a41d4bc4eac8fb59a938f6bf53b7338e7173
Instruction ID: 5c62aab8596562fbe1c9357025b89e2057b4c47cc2885224df3e4589df9fcec8
Opcode Fuzzy Hash: 21c86f8b71a88c6b78cf69df82f3a41d4bc4eac8fb59a938f6bf53b7338e7173
Instruction Fuzzy Hash: 0A3259709102199BDF14EF90C891BEDBFF5EF05304F2482E9E806AB292DB75AD49CB51

Function 00B3676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B36766,?,?,00000008,?,?,00B3FEFE,00000000), ref: 00B36998

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 54ef603056e55ff479010a9f83e89e4bf6ddadb66967cfa8b0aecfeb01bc0fe8
Instruction ID: ccb0b51c3368da5e4648e08103de8b47d12233a748924bc00819b195509f5f92
Opcode Fuzzy Hash: 54ef603056e55ff479010a9f83e89e4bf6ddadb66967cfa8b0aecfeb01bc0fe8
Instruction Fuzzy Hash: A0B13971610608EFD719CF28C48AB657BE0FF49364F25C699E899CF2A2C735E991CB40

Function 00B1B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00B5851F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 41728b5b08f34b63fc79c93bb2dfd966ca6a5ff177394ad350252da77d5cedd1
Instruction ID: e131818dc8dbb5949032e6a3f3d23172f4d067637d116cd30a89d7a5ad8585ec
Opcode Fuzzy Hash: 41728b5b08f34b63fc79c93bb2dfd966ca6a5ff177394ad350252da77d5cedd1
Instruction Fuzzy Hash: 57125E719002299BDB14CF58D881BEEB7F5FF48710F5481EAE849EB251EB309A85CF94

Function 00B7EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B7EABD

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 37279a035bbe66a8082e7759ee7a8460cb3276357a81026ae484ec0a51212266
Instruction ID: b320fb242555dfde394845b9374837a54f3a2901d3c1343d85ce9f3d42ea68d3
Opcode Fuzzy Hash: 37279a035bbe66a8082e7759ee7a8460cb3276357a81026ae484ec0a51212266
Instruction Fuzzy Hash: EAE01A312102049FC710EF59D844E9ABBE9AF98760F00849AFC59C7291DB70E8408B91

Function 00B209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00B203EE), ref: 00B209DA

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 924f0faedc8cc2695abfaa57e91fa34d7b5fcc568695c3a9ea9269afe763ab48
Instruction ID: a059fdf433e44311bb9b66be5dd750316c39ae8560d68416f4b984a9720fc890
Opcode Fuzzy Hash: 924f0faedc8cc2695abfaa57e91fa34d7b5fcc568695c3a9ea9269afe763ab48
Instruction Fuzzy Hash:

Function 00B2781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00B2798B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 9b0d68b7f9b484b5692cf77464359f8cd513ebbaaaf79a7b37ef295d91c95bb9
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 755125716CC7356ADB38856A789ABBE23C5DB12300F1805C9D98EDF282CE15DE81D35E

Function 00B36DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e9dada8757c100e994d3dd22c5413ce91f280d0f4ac55f73205c33dae957bd
Instruction ID: b6dd275020b071c156bb41c20ae3d70183db2c794f71e214caadc71bb95228e9
Opcode Fuzzy Hash: 89e9dada8757c100e994d3dd22c5413ce91f280d0f4ac55f73205c33dae957bd
Instruction Fuzzy Hash: DE320261D69F014DD7279638C822335A689AFB73C5F25D737E81AB6EA6EF29C4C34100

Function 00B1CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee7f8eb67014c6302f49d115d6d876ee9b8220df33b49b3a3a00fa3cc9ab658
Instruction ID: f2dda66499247aa9fc2c8cdcbad8300922aab190742659fd13f06807005ce99a
Opcode Fuzzy Hash: 5ee7f8eb67014c6302f49d115d6d876ee9b8220df33b49b3a3a00fa3cc9ab658
Instruction Fuzzy Hash: 0F32E431A003158FDF24CA68C4D47BD7FE2EB45306F6885EADC499B296E6309D89DB81

Function 00B07920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed4e86d06d38583c3051bc324a6ba9faca9c8cef25e50cb096ddc77a755b440
Instruction ID: 8deb3d64516072e2e6494a131f1f2dcc92cefe077e31f43f57381af479eb6864
Opcode Fuzzy Hash: 6ed4e86d06d38583c3051bc324a6ba9faca9c8cef25e50cb096ddc77a755b440
Instruction Fuzzy Hash: 6D22B170E04A0ADFDF14DF64D881AAEB7F5FF48300F1445A9E816A7292EB35AE50DB50

Function 00B091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9488b1ad524a349ef938410611dcb0e38bab01cd4be3b26686bafcb277765566
Instruction ID: b372e39637586ac5b317c608f632092e353a813c1a4cfc49db43b595497a063f
Opcode Fuzzy Hash: 9488b1ad524a349ef938410611dcb0e38bab01cd4be3b26686bafcb277765566
Instruction Fuzzy Hash: E60295B1E00206EFDB04DF54D881AAEBBF5FF44300F5181A9E816DB291EB31EA51DB95

Function 00B39EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf57b0dd32a26a36f02b3bab2a368741ad436c31172f025dfd54bbfea2afd65
Instruction ID: 100fc56678bad4ecdd67a61e98fb23e2a013fa4d309e32017ba0c262ef9299b9
Opcode Fuzzy Hash: cdf57b0dd32a26a36f02b3bab2a368741ad436c31172f025dfd54bbfea2afd65
Instruction Fuzzy Hash: 27B1E020D2AF404DC62396398872336B6DCAFBB6D5F91D31BFC6675D22EF2285834140

Function 00B27A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ab645e80035121277a95d68b91dfa5daa9220bab6d5cec78a3d29b6e21bf23
Instruction ID: b20bd6bac8473f71c6c6b94c7aceb74cbec4add2dca811bf05b50cb6b5c4578e
Opcode Fuzzy Hash: e4ab645e80035121277a95d68b91dfa5daa9220bab6d5cec78a3d29b6e21bf23
Instruction Fuzzy Hash: E26147712C873996DF389A28B9B9BBE23D4DF46710F1009D9E84EDB281DE119E42835D

Function 00B27CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fbe9531fdac51929ff7e18b95f3a24417a57fd054532017241a85ac3ba5881
Instruction ID: 31ca0ef54eb2b32b4d70c97e75d166261d8f7e000f651cafb7f45e5bd792a30a
Opcode Fuzzy Hash: c7fbe9531fdac51929ff7e18b95f3a24417a57fd054532017241a85ac3ba5881
Instruction Fuzzy Hash: DC617EB56C873957DE3499287895BBF23C8DF46780F1009F9E84EDB281DE119D42836D

Function 00B72046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bfd8b559a0cb307b2176e35b5c515e6e15fc6d1eac2471cb795fb8a4aa1b87
Instruction ID: 781d28d3911a20a4dfe3f5783dad43577218b3eba57016876a2cb22b2aaf5a1c
Opcode Fuzzy Hash: d4bfd8b559a0cb307b2176e35b5c515e6e15fc6d1eac2471cb795fb8a4aa1b87
Instruction Fuzzy Hash: 3C2196326216518BD728CF79C82267EB3E5A764310F198A6EE4A7C37D0DE35A904C750

Function 00B82ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B82B30
DeleteObject.GDI32(00000000), ref: 00B82B43
DestroyWindow.USER32 ref: 00B82B52
GetDesktopWindow.USER32 ref: 00B82B6D
GetWindowRect.USER32(00000000), ref: 00B82B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00B82CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00B82CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82CF8
GetClientRect.USER32(00000000,?), ref: 00B82D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B82D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82D80
GlobalLock.KERNEL32(00000000), ref: 00B82D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82D98
GlobalUnlock.KERNEL32(00000000), ref: 00B82DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82DA8
GlobalFree.KERNEL32(00000000), ref: 00B82DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B9FC38,00000000), ref: 00B82DDB
GlobalFree.KERNEL32(00000000), ref: 00B82DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00B82E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00B82E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B8303F

Strings

, xrefs: 00B82FC5
static, xrefs: 00B82D3A, 00B82E91
AutoIt v3, xrefs: 00B82CF2
DISPLAY, xrefs: 00B82EA2

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: f563177d4945195cd3cf994e4be5bdc702a09e37ca012d4888ed2322d2b197d3
Instruction ID: ff3006e934f7337e89f2b09a5049f4ab67a198343545e89fb5f0187366dfb412
Opcode Fuzzy Hash: f563177d4945195cd3cf994e4be5bdc702a09e37ca012d4888ed2322d2b197d3
Instruction Fuzzy Hash: E8027B71900214AFDB14DFA4CD89EAE7FF9EF48714F008599F915AB2A1DB70AD01CB60

Function 00B970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B9712F
GetSysColorBrush.USER32(0000000F), ref: 00B97160
GetSysColor.USER32(0000000F), ref: 00B9716C
SetBkColor.GDI32(?,000000FF), ref: 00B97186
SelectObject.GDI32(?,?), ref: 00B97195
InflateRect.USER32(?,000000FF,000000FF), ref: 00B971C0
GetSysColor.USER32(00000010), ref: 00B971C8
CreateSolidBrush.GDI32(00000000), ref: 00B971CF
FrameRect.USER32(?,?,00000000), ref: 00B971DE
DeleteObject.GDI32(00000000), ref: 00B971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00B97230
FillRect.USER32(?,?,?), ref: 00B97262
GetWindowLongW.USER32(?,000000F0), ref: 00B97284

Part of subcall function 00B973E8: GetSysColor.USER32(00000012), ref: 00B97421
Part of subcall function 00B973E8: SetTextColor.GDI32(?,?), ref: 00B97425
Part of subcall function 00B973E8: GetSysColorBrush.USER32(0000000F), ref: 00B9743B
Part of subcall function 00B973E8: GetSysColor.USER32(0000000F), ref: 00B97446
Part of subcall function 00B973E8: GetSysColor.USER32(00000011), ref: 00B97463
Part of subcall function 00B973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B97471
Part of subcall function 00B973E8: SelectObject.GDI32(?,00000000), ref: 00B97482
Part of subcall function 00B973E8: SetBkColor.GDI32(?,00000000), ref: 00B9748B
Part of subcall function 00B973E8: SelectObject.GDI32(?,?), ref: 00B97498
Part of subcall function 00B973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00B974B7
Part of subcall function 00B973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B974CE
Part of subcall function 00B973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00B974DB

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 849803776a99499e3ee415965c43c0ec05e6f505b46d4301449cbefd700aa6a8
Instruction ID: d26b8d4b0353a6622af0a844e58226b6f12e83203d4ecfdf239ab67a7ff17530
Opcode Fuzzy Hash: 849803776a99499e3ee415965c43c0ec05e6f505b46d4301449cbefd700aa6a8
Instruction Fuzzy Hash: F3A19172018311AFDB009F64DD49E6B7BE9FF89320F100A2AF962A71E1DB71E944CB51

Function 00B82711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B8273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B8286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00B828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00B828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00B82900
GetClientRect.USER32(00000000,?), ref: 00B8290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00B82955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B82964
GetStockObject.GDI32(00000011), ref: 00B82974
SelectObject.GDI32(00000000,00000000), ref: 00B82978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00B82988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B82991
DeleteDC.GDI32(00000000), ref: 00B8299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00B82A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B82A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B82A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00B82A77
GetStockObject.GDI32(00000011), ref: 00B82A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B82A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00B82A97

Strings

static, xrefs: 00B8294F, 00B82A71
msctls_progress32, xrefs: 00B82A13
AutoIt v3, xrefs: 00B828F8
DISPLAY, xrefs: 00B8295A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6d457fdff573dffbf35c95b946c23653e464e73804e71d776baecfdd7e942345
Instruction ID: eed5ba149ef7f955806cd73a09a94ab3754b9fd64f470586bff3e9c02fcb896c
Opcode Fuzzy Hash: 6d457fdff573dffbf35c95b946c23653e464e73804e71d776baecfdd7e942345
Instruction Fuzzy Hash: 9BB14B71A40215BFEB14DFA8CD4AEAEBBB9EB08710F004555F915E72E0DB74AD40CBA4

Function 00B74ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B74AED
GetDriveTypeW.KERNEL32(?,00B9CB68,?,\\.\,00B9CC08), ref: 00B74BCA
SetErrorMode.KERNEL32(00000000,00B9CB68,?,\\.\,00B9CC08), ref: 00B74D36

Strings

Virtual, xrefs: 00B74CE5
SSD, xrefs: 00B74C4A
FileBackedVirtual, xrefs: 00B74CEC
Fixed, xrefs: 00B74C09
1394, xrefs: 00B74C9F
PhysicalDrive, xrefs: 00B74B76
Network, xrefs: 00B74C02
SATA, xrefs: 00B74CD0
SCSI, xrefs: 00B74C8A
MMC, xrefs: 00B74CDE
Unknown, xrefs: 00B74BED, 00B74C83
Removable, xrefs: 00B74C10, 00B74C15
RAMDisk, xrefs: 00B74BF4
Fibre, xrefs: 00B74CAD
USB, xrefs: 00B74CB4
SSA, xrefs: 00B74CA6
\\.\, xrefs: 00B74B3F
SAS, xrefs: 00B74CC9
RAID, xrefs: 00B74CBB
CDROM, xrefs: 00B74BFB
ATA, xrefs: 00B74C98
ATAPI, xrefs: 00B74C91
iSCSI, xrefs: 00B74CC2

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ccbeb16f3ee3b5237477255a1722ebd9c6eceab0d88f19e420755e085071a058
Instruction ID: a088d1933dafc999ed3e3d2f3a4239b1af5f4dc0d5b58e40faefe530b84f5099
Opcode Fuzzy Hash: ccbeb16f3ee3b5237477255a1722ebd9c6eceab0d88f19e420755e085071a058
Instruction Fuzzy Hash: CA61A131605105ABCB15DF28CAC1E697BE0EF05342B24C4E9F82AAB2A1DB35ED41DB41

Function 00B973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B97421
SetTextColor.GDI32(?,?), ref: 00B97425
GetSysColorBrush.USER32(0000000F), ref: 00B9743B
GetSysColor.USER32(0000000F), ref: 00B97446
CreateSolidBrush.GDI32(?), ref: 00B9744B
GetSysColor.USER32(00000011), ref: 00B97463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B97471
SelectObject.GDI32(?,00000000), ref: 00B97482
SetBkColor.GDI32(?,00000000), ref: 00B9748B
SelectObject.GDI32(?,?), ref: 00B97498
InflateRect.USER32(?,000000FF,000000FF), ref: 00B974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00B974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B9752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B97554
InflateRect.USER32(?,000000FD,000000FD), ref: 00B97572
DrawFocusRect.USER32(?,?), ref: 00B9757D
GetSysColor.USER32(00000011), ref: 00B9758E
SetTextColor.GDI32(?,00000000), ref: 00B97596
DrawTextW.USER32(?,00B970F5,000000FF,?,00000000), ref: 00B975A8
SelectObject.GDI32(?,?), ref: 00B975BF
DeleteObject.GDI32(?), ref: 00B975CA
SelectObject.GDI32(?,?), ref: 00B975D0
DeleteObject.GDI32(?), ref: 00B975D5
SetTextColor.GDI32(?,?), ref: 00B975DB
SetBkColor.GDI32(?,?), ref: 00B975E5

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: be09328ba9589fd8c308dfe32bb07084e5c9c27795bc702b1c8abcf534e84027
Instruction ID: 8c1cb69834f3aacf660d732820a9a86e8cf91c65f6de9efac4a26afdd066c03b
Opcode Fuzzy Hash: be09328ba9589fd8c308dfe32bb07084e5c9c27795bc702b1c8abcf534e84027
Instruction Fuzzy Hash: 16616E72900218AFDF019FA4DD49EEE7FB9EB09320F118166F915BB2A1DB749940CF90

Function 00B90FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B91128
GetDesktopWindow.USER32 ref: 00B9113D
GetWindowRect.USER32(00000000), ref: 00B91144
GetWindowLongW.USER32(?,000000F0), ref: 00B91199
DestroyWindow.USER32(?), ref: 00B911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B9120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B9121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00B91232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00B91245
IsWindowVisible.USER32(00000000), ref: 00B912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00B912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00B912D0
GetWindowRect.USER32(00000000,?), ref: 00B912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00B9130E
GetMonitorInfoW.USER32(00000000,?), ref: 00B91328
CopyRect.USER32(?,?), ref: 00B9133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00B913AA

Strings

0, xrefs: 00B910D3
tooltips_class32, xrefs: 00B911E6
(, xrefs: 00B9131B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e57866df8e33291ff899e863f15f46ebb664607b9a400875a30d5e98ad2c4a20
Instruction ID: 938c5b1a45bfd274e7e5445498cad1033cbfe8dec437a32f2926cfdf34e310b0
Opcode Fuzzy Hash: e57866df8e33291ff899e863f15f46ebb664607b9a400875a30d5e98ad2c4a20
Instruction Fuzzy Hash: 24B17E71608341AFDB00DF68C985B5ABBE4FF84354F00899DF9999B2A1CB31EC44DB51

Function 00B90241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B902E5
_wcslen.LIBCMT ref: 00B9031F
_wcslen.LIBCMT ref: 00B90389
_wcslen.LIBCMT ref: 00B903F1
_wcslen.LIBCMT ref: 00B90475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B90504

Part of subcall function 00B1F9F2: _wcslen.LIBCMT ref: 00B1F9FD

Part of subcall function 00B6223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B62258
Part of subcall function 00B6223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B6228A

Strings

FINDITEM, xrefs: 00B90627
ISSELECTED, xrefs: 00B904DD
GETTEXT, xrefs: 00B903EC, 00B90407
VIEWCHANGE, xrefs: 00B90675
SELECTINVERT, xrefs: 00B9057E
SELECTCLEAR, xrefs: 00B9052D
GETSELECTED, xrefs: 00B905E1
SELECT, xrefs: 00B90548
SELECTALL, xrefs: 00B90515
GETITEMCOUNT, xrefs: 00B90316, 00B90337
GETSELECTEDCOUNT, xrefs: 00B90470, 00B9048B
DESELECT, xrefs: 00B9059C
GETSUBITEMCOUNT, xrefs: 00B90384, 00B9039F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e8d5952e5e17cd063213d859f64acf64c9a7701aaa6dbf171f05b70946a27e6a
Instruction ID: 035fd3b7c0ddd004dacf47ddca67faec0b4c7a11293ec03b05fc389f602f5f0a
Opcode Fuzzy Hash: e8d5952e5e17cd063213d859f64acf64c9a7701aaa6dbf171f05b70946a27e6a
Instruction Fuzzy Hash: 0EE19D312282018FCB14EF24C99197AB7E6FF98754B1449ECF8969B3A2DB30ED45CB51

Function 00B18891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B18968
GetSystemMetrics.USER32(00000007), ref: 00B18970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B1899B
GetSystemMetrics.USER32(00000008), ref: 00B189A3
GetSystemMetrics.USER32(00000004), ref: 00B189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B18A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B18A3C
GetClientRect.USER32(00000000,000000FF), ref: 00B18A5A
GetStockObject.GDI32(00000011), ref: 00B18A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B18A81

Part of subcall function 00B1912D: GetCursorPos.USER32(?), ref: 00B19141
Part of subcall function 00B1912D: ScreenToClient.USER32(00000000,?), ref: 00B1915E
Part of subcall function 00B1912D: GetAsyncKeyState.USER32(00000001), ref: 00B19183
Part of subcall function 00B1912D: GetAsyncKeyState.USER32(00000002), ref: 00B1919D

SetTimer.USER32(00000000,00000000,00000028,00B190FC), ref: 00B18AA8

Strings

AutoIt v3 GUI, xrefs: 00B18A20

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 80e2c95ab4fe5e91b26b9a2523784fffb4b636160c3594a3ad0aeadd924e2331
Instruction ID: 37f9e10e494ea7e82d5b426f47d9770c20316a098b25b751b74bc1a1e081df20
Opcode Fuzzy Hash: 80e2c95ab4fe5e91b26b9a2523784fffb4b636160c3594a3ad0aeadd924e2331
Instruction Fuzzy Hash: B9B17D31A00209AFDB14DFA8CD95BEE7BF5FB48315F5142AAFA15E7290DB34A841CB50

Function 00B60D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B61114
Part of subcall function 00B610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61120
Part of subcall function 00B610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B6112F
Part of subcall function 00B610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61136
Part of subcall function 00B610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B60DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B60E29
GetLengthSid.ADVAPI32(?), ref: 00B60E40
GetAce.ADVAPI32(?,00000000,?), ref: 00B60E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B60E96
GetLengthSid.ADVAPI32(?), ref: 00B60EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B60EB5
HeapAlloc.KERNEL32(00000000), ref: 00B60EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B60EDD
CopySid.ADVAPI32(00000000), ref: 00B60EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B60F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B60F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B60F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60F6E
HeapFree.KERNEL32(00000000), ref: 00B60F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60F7E
HeapFree.KERNEL32(00000000), ref: 00B60F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60F8E
HeapFree.KERNEL32(00000000), ref: 00B60F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00B60FA1
HeapFree.KERNEL32(00000000), ref: 00B60FA8

Part of subcall function 00B61193: GetProcessHeap.KERNEL32(00000008,00B60BB1,?,00000000,?,00B60BB1,?), ref: 00B611A1
Part of subcall function 00B61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B60BB1,?), ref: 00B611A8
Part of subcall function 00B61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B60BB1,?), ref: 00B611B7

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d21e02fe01c6f94693853350b907aff4e407c1b98d86c016d2e6e8ac490dc476
Instruction ID: dc97b1d32164f25f0f194084210d1d6e2e6275a6b303890274b7dd57b87c1fa1
Opcode Fuzzy Hash: d21e02fe01c6f94693853350b907aff4e407c1b98d86c016d2e6e8ac490dc476
Instruction Fuzzy Hash: 3F716A7290021AEBDF21AFA5DD48FAFBBB8FF05300F144156F919A7191DB359A05CB60

Function 00B8C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B9CC08,00000000,?,00000000,?,?), ref: 00B8C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00B8C5A4
_wcslen.LIBCMT ref: 00B8C5F4
_wcslen.LIBCMT ref: 00B8C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00B8C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00B8C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00B8C84D
RegCloseKey.ADVAPI32(?), ref: 00B8C881
RegCloseKey.ADVAPI32(00000000), ref: 00B8C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00B8C960

Strings

REG_QWORD, xrefs: 00B8C8C3
REG_MULTI_SZ, xrefs: 00B8C6F5
REG_SZ, xrefs: 00B8C644
REG_EXPAND_SZ, xrefs: 00B8C5CD
REG_DWORD, xrefs: 00B8C804
REG_BINARY, xrefs: 00B8C913

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c1f8ad68f2aa84dd3a9f9ac90af4d45512239888deea26fbfd684ef073570adc
Instruction ID: 099ab957203c9a7bb09a695f1fe08f4ad278891d7068e1a06929c9ca95e66c9e
Opcode Fuzzy Hash: c1f8ad68f2aa84dd3a9f9ac90af4d45512239888deea26fbfd684ef073570adc
Instruction Fuzzy Hash: 661268756042019FDB14EF14C891E6ABBE5EF88714F14889DF88A9B3A2DB31FD41CB91

Function 00B9091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B909C6
_wcslen.LIBCMT ref: 00B90A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B90A54
_wcslen.LIBCMT ref: 00B90A8A
_wcslen.LIBCMT ref: 00B90B06
_wcslen.LIBCMT ref: 00B90B81

Part of subcall function 00B1F9F2: _wcslen.LIBCMT ref: 00B1F9FD

Part of subcall function 00B62BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B62BFA

Strings

GETITEMCOUNT, xrefs: 00B90C1E
GETTOTALCOUNT, xrefs: 00B909F2, 00B90A17
EXPAND, xrefs: 00B90BF8
GETTEXT, xrefs: 00B90C97
UNCHECK, xrefs: 00B90D3E
GETSELECTED, xrefs: 00B90C4E
SELECT, xrefs: 00B90D11
ISCHECKED, xrefs: 00B90CE1
EXISTS, xrefs: 00B90B7C, 00B90B97
COLLAPSE, xrefs: 00B90B01, 00B90B1C
CHECK, xrefs: 00B90A85, 00B90AA0

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9be7209129dbc1a1fdba11b02315de862b0dadfd4292a1f748d016ebdf9eae6b
Instruction ID: 3505f966acac5c47a8e4331c1658f4dc2cb0a05e722772d7cbc7ae57377b32bf
Opcode Fuzzy Hash: 9be7209129dbc1a1fdba11b02315de862b0dadfd4292a1f748d016ebdf9eae6b
Instruction Fuzzy Hash: 74E17E712187018FCB14EF24C49096ABBE1FF98354B5489EDF8969B3A2DB31ED45CB81

Function 00B8C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8B6AE,?,?), ref: 00B8C9B5
_wcslen.LIBCMT ref: 00B8C9F1
_wcslen.LIBCMT ref: 00B8CA68
_wcslen.LIBCMT ref: 00B8CA9E
_wcslen.LIBCMT ref: 00B8CAF9
_wcslen.LIBCMT ref: 00B8CB2F
_wcslen.LIBCMT ref: 00B8CB7F

Strings

HKLM, xrefs: 00B8CA98, 00B8CA9D
HKCR, xrefs: 00B8CB29, 00B8CB2E
HKCC, xrefs: 00B8CBAC
HKU, xrefs: 00B8CBF0
HKEY_CURRENT_CONFIG, xrefs: 00B8CB79, 00B8CB7E
HKCU, xrefs: 00B8CBCE
HKEY_USERS, xrefs: 00B8CBDF
HKEY_LOCAL_MACHINE, xrefs: 00B8CA62, 00B8CA67
HKEY_CLASSES_ROOT, xrefs: 00B8CAF3, 00B8CAF8
HKEY_CURRENT_USER, xrefs: 00B8CBBD

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 03a303c5c05e6a1950df091d69f22102d003dcf5676698983fb4cfdcb037ce0a
Instruction ID: 169ec56f082b583fa75da0b163d030bcad4e673ae0cce8720f3f8b708585ce7b
Opcode Fuzzy Hash: 03a303c5c05e6a1950df091d69f22102d003dcf5676698983fb4cfdcb037ce0a
Instruction Fuzzy Hash: 9471F8B360052A8BCB10FE7CD941ABB3BD1EB60754B2105E9F865972A4EA31CD45C7B0

Function 00B9833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B9835A
_wcslen.LIBCMT ref: 00B9836E
_wcslen.LIBCMT ref: 00B98391
_wcslen.LIBCMT ref: 00B983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B95BF2), ref: 00B9844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B98487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B98501
FreeLibrary.KERNEL32(?), ref: 00B9850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B9851D
DestroyIcon.USER32(?,?,?,?,?,00B95BF2), ref: 00B9852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B98549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B98555

Strings

.icl, xrefs: 00B98368
.exe, xrefs: 00B98388
.dll, xrefs: 00B983AB

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 4fb647bb5806e817dae4081ff88645bdcff2667fe98f36002c6187d67102809b
Instruction ID: 6d19bc3577f2fab5bfcc6df943bfb926a03b5c671cb40a589f33110baae0d09b
Opcode Fuzzy Hash: 4fb647bb5806e817dae4081ff88645bdcff2667fe98f36002c6187d67102809b
Instruction Fuzzy Hash: 9D61CD71540215BAEF14DF64DC81BBE7BE8EF19720F1046AAF819D61D1DF74A980CBA0

Function 00B07778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 00B078D9
#include-once, xrefs: 00B0782F
#notrayicon, xrefs: 00B077E7
", xrefs: 00B45153
#include, xrefs: 00B07847
#pragma compile, xrefs: 00B077D3
Bad directive syntax error, xrefs: 00B4519A
Unterminated group of comments, xrefs: 00B4528C
#cs, xrefs: 00B07873, 00B078C5
#requireadmin, xrefs: 00B077FF
#ce, xrefs: 00B078ED
', xrefs: 00B45169
Cannot parse #include, xrefs: 00B45279
#comments-start, xrefs: 00B0785F, 00B078B1
#OnAutoItStartRegister, xrefs: 00B07817

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: af43b8467d63777d9ef949905d7ddb0d039d1a6699a215b531612177a4861c75
Instruction ID: 375874c616bdfce6975322a3c1056a007d5076bde3bb59f7ffdac87699082520
Opcode Fuzzy Hash: af43b8467d63777d9ef949905d7ddb0d039d1a6699a215b531612177a4861c75
Instruction Fuzzy Hash: EE81D371A44605BBDB20AF60DC82FBE7BE8EF55340F0440E5F905AA1D2EB70EE51D6A1

Function 00B73E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B73EF8
_wcslen.LIBCMT ref: 00B73F03
_wcslen.LIBCMT ref: 00B73F5A
_wcslen.LIBCMT ref: 00B73F98
GetDriveTypeW.KERNEL32(?), ref: 00B73FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B7401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B74059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B74087

Strings

close cd wait, xrefs: 00B74072
type cdaudio alias cd wait, xrefs: 00B74001
wait, xrefs: 00B74044
set cd door , xrefs: 00B74028
open, xrefs: 00B73F54, 00B73F59
closed, xrefs: 00B73F08, 00B73F2D, 00B73F46, 00B73F7E, 00B73F97
open , xrefs: 00B73FE5
close, xrefs: 00B73EFE, 00B73F18

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: b4b8d2fa7b42370df7b12c217816070254bc8bb095639b50e522636e6b719b73
Instruction ID: f1684a5061c0941e90433720d25169a7fc09c64fff9776f798628eee8d582c8c
Opcode Fuzzy Hash: b4b8d2fa7b42370df7b12c217816070254bc8bb095639b50e522636e6b719b73
Instruction Fuzzy Hash: 7871E4726043119FC310EF24C89196BBBF4EF94794F1089ADF5A9972A1EB30DD45CB91

Function 00B65A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B65A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B65A40
SetWindowTextW.USER32(?,?), ref: 00B65A57
GetDlgItem.USER32(?,000003EA), ref: 00B65A6C
SetWindowTextW.USER32(00000000,?), ref: 00B65A72
GetDlgItem.USER32(?,000003E9), ref: 00B65A82
SetWindowTextW.USER32(00000000,?), ref: 00B65A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B65AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B65AC3
GetWindowRect.USER32(?,?), ref: 00B65ACC
_wcslen.LIBCMT ref: 00B65B33
SetWindowTextW.USER32(?,?), ref: 00B65B6F
GetDesktopWindow.USER32 ref: 00B65B75
GetWindowRect.USER32(00000000), ref: 00B65B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00B65BD3
GetClientRect.USER32(?,?), ref: 00B65BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00B65C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B65C2F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 8424650544d4d5f767685d932d8b68f6a6f4c4ae73297b11fef1c5d399f400a7
Instruction ID: f2f05e44087b08c4cf607b5a0f17b1469863091074f701deeef6a912ffc73756
Opcode Fuzzy Hash: 8424650544d4d5f767685d932d8b68f6a6f4c4ae73297b11fef1c5d399f400a7
Instruction Fuzzy Hash: 4C718E31900B09AFDB30DFA8CE85AAEBBF5FF48704F144559E146A35A0DB78E950CB50

Function 00B7FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00B7FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00B7FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00B7FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00B7FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00B7FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00B7FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00B7FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00B7FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00B7FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00B7FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00B7FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00B7FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00B7FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00B7FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00B7FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00B7FECC
GetCursorInfo.USER32(?), ref: 00B7FEDC
GetLastError.KERNEL32 ref: 00B7FF1E

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 1de32ff3e4c9fe4503c46b1b85eeeeac16f7cbd2e4491b293aa08982880ec492
Instruction ID: 2fc163bd8c6fc7994467bb4c89ac1e4a87fa96e96d5e0d3d4d601b4e565b329f
Opcode Fuzzy Hash: 1de32ff3e4c9fe4503c46b1b85eeeeac16f7cbd2e4491b293aa08982880ec492
Instruction Fuzzy Hash: 054157B0D0531A6BDB109FBA8C8586EBFE8FF04354B50856AE11DEB281DB789901CE95

Function 00B200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B200C6

Part of subcall function 00B200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00BD070C,00000FA0,62B111D8,?,?,?,?,00B423B3,000000FF), ref: 00B2011C
Part of subcall function 00B200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00B423B3,000000FF), ref: 00B20127
Part of subcall function 00B200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00B423B3,000000FF), ref: 00B20138
Part of subcall function 00B200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B2014E
Part of subcall function 00B200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B2015C
Part of subcall function 00B200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B2016A
Part of subcall function 00B200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B20195
Part of subcall function 00B200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B201A0

___scrt_fastfail.LIBCMT ref: 00B200E7

Part of subcall function 00B200A3: __onexit.LIBCMT ref: 00B200A9

Strings

kernel32.dll, xrefs: 00B20133
WakeAllConditionVariable, xrefs: 00B20162
InitializeConditionVariable, xrefs: 00B20148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B20122
SleepConditionVariableCS, xrefs: 00B20154

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: d3f10ec9b0981113011fab9af365dd0e7ee9e1d28366d742e869541adb1abbdf
Instruction ID: 09d21b342988fa1fdb940eb173de9e67e1942eb71db2f4a6bd714332032c130e
Opcode Fuzzy Hash: d3f10ec9b0981113011fab9af365dd0e7ee9e1d28366d742e869541adb1abbdf
Instruction Fuzzy Hash: 2021A7326557216BEB107B74BD46B6A77D4DF05B61F1001B7F809F76A2DE609C008B94

Function 00B630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B6318D
_wcslen.LIBCMT ref: 00B631F8

Strings

CLASS, xrefs: 00B63188, 00B631A5
CLASSNN, xrefs: 00B631F3, 00B63204
REGEXPCLASS, xrefs: 00B63255, 00B63266
TEXT, xrefs: 00B6347C
INSTANCE, xrefs: 00B63453
NAME, xrefs: 00B63335, 00B63346

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5b335805a4e059aa1197649142b7c92c06faad618d3fd69c1a1cf8a68eb5dc76
Instruction ID: 33a9b97bf0e4ded58a860a69570fcf7779779cce19798f991a03783b91fc314e
Opcode Fuzzy Hash: 5b335805a4e059aa1197649142b7c92c06faad618d3fd69c1a1cf8a68eb5dc76
Instruction Fuzzy Hash: 08E1A632A005269BCB24DFA8C491BEEFBF4FF54B50F548199E456B7240DF34AE858790

Function 00B744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00B9CC08), ref: 00B74527
_wcslen.LIBCMT ref: 00B7453B
_wcslen.LIBCMT ref: 00B74599
_wcslen.LIBCMT ref: 00B745F4
_wcslen.LIBCMT ref: 00B7463F
_wcslen.LIBCMT ref: 00B746A7

Part of subcall function 00B1F9F2: _wcslen.LIBCMT ref: 00B1F9FD

GetDriveTypeW.KERNEL32(?,00BC6BF0,00000061), ref: 00B74743

Strings

network, xrefs: 00B7469D, 00B746A2
fixed, xrefs: 00B74635, 00B7463A
ramdisk, xrefs: 00B746F1
cdrom, xrefs: 00B7458F, 00B74594
all, xrefs: 00B74531, 00B74536
unknown, xrefs: 00B74708
removable, xrefs: 00B745EA, 00B745EF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 58f05688d012f046823d899658b27847b103ca2005b0c8a7086ded5d089746dc
Instruction ID: 61792ca1ec69f544b9b0cbe60cb478249c12af88c34a56e25461cd958bbff9df
Opcode Fuzzy Hash: 58f05688d012f046823d899658b27847b103ca2005b0c8a7086ded5d089746dc
Instruction Fuzzy Hash: 5BB1F2316083029FC714DF28C891A6ABBE5FFA5761F50899DF4AAC7291E730DD44CB92

Function 00B83FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B9CC08), ref: 00B840BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B840CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00B9CC08), ref: 00B840F2
FreeLibrary.KERNEL32(00000000,?,00B9CC08), ref: 00B8413E
StringFromGUID2.OLE32(?,?,00000028,?,00B9CC08), ref: 00B841A8
SysFreeString.OLEAUT32(00000009), ref: 00B84262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B842C8
SysFreeString.OLEAUT32(?), ref: 00B842F2

Strings

GetModuleHandleExW, xrefs: 00B840C7
kernel32.dll, xrefs: 00B840B6

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 8a50020f2c519684c099e6aef65696285bc10d73f74cfbd3033120a3b0ad21f8
Instruction ID: 9f61aa4c76614ead27c1f35440d765bca0154ecb6ef9e3195a0ae810bfb20bab
Opcode Fuzzy Hash: 8a50020f2c519684c099e6aef65696285bc10d73f74cfbd3033120a3b0ad21f8
Instruction Fuzzy Hash: AF124D75A00116EFDB14EF94C884EAEBBF5FF45314F248099E905AB261DB31ED46CBA0

Function 00B0326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00BD1990), ref: 00B42F8D
GetMenuItemCount.USER32(00BD1990), ref: 00B4303D
GetCursorPos.USER32(?), ref: 00B43081
SetForegroundWindow.USER32(00000000), ref: 00B4308A
TrackPopupMenuEx.USER32(00BD1990,00000000,?,00000000,00000000,00000000), ref: 00B4309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B430A9

Strings

0, xrefs: 00B0327D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 20df168d487a4931421d45b9c2147647e865cda0815c875c9d3bb7eb4e85e957
Instruction ID: 3ae133fc1dbad6ebf919d1835fa124cb81a5ba2905e534091f6f09bae8a30a25
Opcode Fuzzy Hash: 20df168d487a4931421d45b9c2147647e865cda0815c875c9d3bb7eb4e85e957
Instruction Fuzzy Hash: EE711831640215BFEB218F24CC89FAABFE8FF01764F240296F514A61E1C7B1AA54E750

Function 00B96CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00B96DEB

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B96E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B96E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B96E94
DestroyWindow.USER32(?), ref: 00B96EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B00000,00000000), ref: 00B96EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B96EFD
GetDesktopWindow.USER32 ref: 00B96F16
GetWindowRect.USER32(00000000), ref: 00B96F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B96F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B96F4D

Part of subcall function 00B19944: GetWindowLongW.USER32(?,000000EB), ref: 00B19952

Strings

tooltips_class32, xrefs: 00B96E58, 00B96EDD
0, xrefs: 00B96D98

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 7a733fcfad871bbb25f472d9bbe42c0740464a22c5c0bff600bd2d6c9e9a48f4
Instruction ID: a7ce2195814635bcdd69f2e6d3c2ad54efd7958c3970bab94a871f6d8c764c3d
Opcode Fuzzy Hash: 7a733fcfad871bbb25f472d9bbe42c0740464a22c5c0bff600bd2d6c9e9a48f4
Instruction Fuzzy Hash: 5D715774104244AFDB21CF18DC58FBABBE9FB89304F44086EF999872A1DB74A906CB11

Function 00B9911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

DragQueryPoint.SHELL32(?,?), ref: 00B99147

Part of subcall function 00B97674: ClientToScreen.USER32(?,?), ref: 00B9769A
Part of subcall function 00B97674: GetWindowRect.USER32(?,?), ref: 00B97710
Part of subcall function 00B97674: PtInRect.USER32(?,?,00B98B89), ref: 00B97720

SendMessageW.USER32(?,000000B0,?,?), ref: 00B991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B99225
SendMessageW.USER32(?,000000B0,?,?), ref: 00B9923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B99255
SendMessageW.USER32(?,000000B1,?,?), ref: 00B99277
DragFinish.SHELL32(?), ref: 00B9927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B99371

Strings

@GUI_DRAGID, xrefs: 00B992E9
@GUI_DROPID, xrefs: 00B9929E
@GUI_DRAGFILE, xrefs: 00B99320

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 29f8651ba2102553e2f1a54ad99bdf2e678402186ce64d6ccc73ad6c125af217
Instruction ID: 46fa03a8d422c6931212e89f714d442884e3fb710666b0904536e3ea907fdfef
Opcode Fuzzy Hash: 29f8651ba2102553e2f1a54ad99bdf2e678402186ce64d6ccc73ad6c125af217
Instruction Fuzzy Hash: 2D614772108301AFD701DF64DD85DABBFE8EF89750F4009AEB595932A1DB309A49CB62

Function 00B7C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B7C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B7C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B7C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B7C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00B7C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B7C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B7C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B7C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B7C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B7C5F0
InternetCloseHandle.WININET(00000000), ref: 00B7C5FB

Strings

, xrefs: 00B7C575

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 48502353eb0a3e54a223defc5ae9e6c9738f327e47a87eb8d3ae0c613d71c010
Instruction ID: 2c1adb7c8d221b7d6437296405e85fa037ff639aea9e1e06bf6b49d7c212e5ff
Opcode Fuzzy Hash: 48502353eb0a3e54a223defc5ae9e6c9738f327e47a87eb8d3ae0c613d71c010
Instruction Fuzzy Hash: 54514BB1500608BFDB218FA0C989AAB7FFCFF18754F00845EF95997210DB35EA449B60

Function 00B9856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00B98592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985BA
GlobalLock.KERNEL32(00000000), ref: 00B985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985D7
GlobalUnlock.KERNEL32(00000000), ref: 00B985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00B9FC38,?), ref: 00B98611
GlobalFree.KERNEL32(00000000), ref: 00B98621
GetObjectW.GDI32(?,00000018,?), ref: 00B98641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00B98671
DeleteObject.GDI32(?), ref: 00B98699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B986AF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d36b3a2f0f0e05b4f956637d55b3cc386179961c800840391f553cebde0fe1cd
Instruction ID: 0a95a3876d3576ea7b0190182ac08e2602cc59cfc27327556915f3cbb23fde81
Opcode Fuzzy Hash: d36b3a2f0f0e05b4f956637d55b3cc386179961c800840391f553cebde0fe1cd
Instruction Fuzzy Hash: BD410A75600204AFDB11DFA5DD88EAA7FB8FF8A711F104069F905EB260DB709D01CB60

Function 00B714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00B71502
VariantCopy.OLEAUT32(?,?), ref: 00B7150B
VariantClear.OLEAUT32(?), ref: 00B71517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00B71657
VariantInit.OLEAUT32(?), ref: 00B71708
SysFreeString.OLEAUT32(?), ref: 00B7178C
VariantClear.OLEAUT32(?), ref: 00B717D8
VariantClear.OLEAUT32(?), ref: 00B717E7
VariantInit.OLEAUT32(00000000), ref: 00B71823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00B71625
Default, xrefs: 00B716AF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 3110bc770a2e8e67d8893e56455f8fe78e9a710726128cbf47ce96f31b7b37a5
Instruction ID: 5b4cf35c487a35c14ec30d9871f588880e9e8e602140d2d08344d3116a96ef01
Opcode Fuzzy Hash: 3110bc770a2e8e67d8893e56455f8fe78e9a710726128cbf47ce96f31b7b37a5
Instruction Fuzzy Hash: 3AD1CE71A00105EBDB189F6DE885BB9BBF5EF44704F14C8D6E42AAB290DB30EC45DB61

Function 00B8B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8B6AE,?,?), ref: 00B8C9B5
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8C9F1
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA68
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B8B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00B8B80A
RegCloseKey.ADVAPI32(?), ref: 00B8B87E
RegCloseKey.ADVAPI32(?), ref: 00B8B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00B8B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B8B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00B8B922
FreeLibrary.KERNEL32(00000000), ref: 00B8B983
RegCloseKey.ADVAPI32(00000000), ref: 00B8B994

Strings

RegDeleteKeyExW, xrefs: 00B8B8FE
advapi32.dll, xrefs: 00B8B8ED

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d7b6ff29c6df926e548508100dbe4ee4ed7eb9be6decb1f259204642692bea67
Instruction ID: c417fa1c44a367ceb3a00afdcb020817645ecb60e02a284c227c6834071db167
Opcode Fuzzy Hash: d7b6ff29c6df926e548508100dbe4ee4ed7eb9be6decb1f259204642692bea67
Instruction Fuzzy Hash: 34C16C35208201AFD714EF24C495F2ABBE5FF84318F14859CF5AA8B2A2CB75ED45CB91

Function 00B8255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B825E8
CreateCompatibleDC.GDI32(?), ref: 00B825F4
SelectObject.GDI32(00000000,?), ref: 00B82601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00B8266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00B826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00B826D0
SelectObject.GDI32(?,?), ref: 00B826D8
DeleteObject.GDI32(?), ref: 00B826E1
DeleteDC.GDI32(?), ref: 00B826E8
ReleaseDC.USER32(00000000,?), ref: 00B826F3

Strings

(, xrefs: 00B8268D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 26da2652c5e24f112a9abbc0e41c6cafb07eba90bfbf43909cda0dde79f11722
Instruction ID: 1470472b257a3559ba2685b94e113231b9a009c97229f17a3cc4712219472d98
Opcode Fuzzy Hash: 26da2652c5e24f112a9abbc0e41c6cafb07eba90bfbf43909cda0dde79f11722
Instruction Fuzzy Hash: C661E275D00219EFCF04DFA4D984AAEBBF5FF48310F20856AE955A7260E770A941CFA4

Function 00B3DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B3DAA1

Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D659
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D66B
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D67D
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D68F
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6A1
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6B3
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6C5
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6D7
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6E9
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6FB
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D70D
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D71F
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D731

_free.LIBCMT ref: 00B3DA96

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B3DAB8
_free.LIBCMT ref: 00B3DACD
_free.LIBCMT ref: 00B3DAD8
_free.LIBCMT ref: 00B3DAFA
_free.LIBCMT ref: 00B3DB0D
_free.LIBCMT ref: 00B3DB1B
_free.LIBCMT ref: 00B3DB26
_free.LIBCMT ref: 00B3DB5E
_free.LIBCMT ref: 00B3DB65
_free.LIBCMT ref: 00B3DB82
_free.LIBCMT ref: 00B3DB9A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2ee895a80a1e021d6d1471bfca7314d965c89ca25c91c4608018779f38f050cf
Instruction ID: 7df7c1a0bdc0fbf43111f3a97293dfebe376e4bc80d6bb6c1311a3cce8328f5b
Opcode Fuzzy Hash: 2ee895a80a1e021d6d1471bfca7314d965c89ca25c91c4608018779f38f050cf
Instruction Fuzzy Hash: 8A312A326046059FEB22AB39F845B5AB7E9FF10310F3545E9E459D7291EA31AC408720

Function 00B6365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B6369C
_wcslen.LIBCMT ref: 00B636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B63797
GetClassNameW.USER32(?,?,00000400), ref: 00B6380C
GetDlgCtrlID.USER32(?), ref: 00B6385D
GetWindowRect.USER32(?,?), ref: 00B63882
GetParent.USER32(?), ref: 00B638A0
ScreenToClient.USER32(00000000), ref: 00B638A7
GetClassNameW.USER32(?,?,00000100), ref: 00B63921
GetWindowTextW.USER32(?,?,00000400), ref: 00B6395D

Strings

%s%u, xrefs: 00B63734

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 98c47b348f50ac98ae0689f69aa49f7934eb4c654dc0099202dcb7666435c8b3
Instruction ID: aedd129fdb512a0951eaa2a5a9d71d5c45c24242f3bbbacdf687eb8b3b08325e
Opcode Fuzzy Hash: 98c47b348f50ac98ae0689f69aa49f7934eb4c654dc0099202dcb7666435c8b3
Instruction Fuzzy Hash: 6C919E71204606AFD719DF24C885FAAB7E8FF44750F008669F99AD3190DB38EA45CBA1

Function 00B64954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00B64994
GetWindowTextW.USER32(?,?,00000400), ref: 00B649DA
_wcslen.LIBCMT ref: 00B649EB
CharUpperBuffW.USER32(?,00000000), ref: 00B649F7
_wcsstr.LIBVCRUNTIME ref: 00B64A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00B64A64
GetWindowTextW.USER32(?,?,00000400), ref: 00B64A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00B64AE6
GetClassNameW.USER32(?,?,00000400), ref: 00B64B20
GetWindowRect.USER32(?,?), ref: 00B64B8B

Strings

ThumbnailClass, xrefs: 00B64A6F, 00B64AF1

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f1c3226ca817f4e7525affd53000810e54264fc08dc17a0762fc6f1adf5fd269
Instruction ID: eff08c43b6a867610bbd5ef14cff0c5d614733741174a714b30b79595f8e8b9f
Opcode Fuzzy Hash: f1c3226ca817f4e7525affd53000810e54264fc08dc17a0762fc6f1adf5fd269
Instruction Fuzzy Hash: A491BF31004605AFDB14DF14C981FAA7BE8FF84754F0884AAFD899B196DB38ED45CBA1

Function 00B98D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B98D5A
GetFocus.USER32 ref: 00B98D6A
GetDlgCtrlID.USER32(00000000), ref: 00B98D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00B98E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B98ECF
GetMenuItemCount.USER32(?), ref: 00B98EEC
GetMenuItemID.USER32(?,00000000), ref: 00B98EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B98F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B98F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B98FA1

Strings

0, xrefs: 00B98E9F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: ef5b16dd8ba343544ccc8215926c14d0cd04e7e85c353487e0d69a6af5c93688
Instruction ID: 0f0444a9104fac12e0e05ab38d2261b7d8529e1ec74d00137ac58867db4e6c58
Opcode Fuzzy Hash: ef5b16dd8ba343544ccc8215926c14d0cd04e7e85c353487e0d69a6af5c93688
Instruction Fuzzy Hash: 5F81AE71508301AFDB11CF24D984AABBBE9FF8A754F1409AEF98597291DF30D901CBA1

Function 00B6BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00BD1990,000000FF,00000000,00000030), ref: 00B6BFAC
SetMenuItemInfoW.USER32(00BD1990,00000004,00000000,00000030), ref: 00B6BFE1
Sleep.KERNEL32(000001F4), ref: 00B6BFF3
GetMenuItemCount.USER32(?), ref: 00B6C039
GetMenuItemID.USER32(?,00000000), ref: 00B6C056
GetMenuItemID.USER32(?,-00000001), ref: 00B6C082
GetMenuItemID.USER32(?,?), ref: 00B6C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B6C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B6C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B6C145

Strings

0, xrefs: 00B6BF3D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 4c919d1f2e4cb087f78588c0929dc2549471cc814e151b2e494739b50af8950a
Instruction ID: 0e47ebf9c19375bb977cbdea8259bb10b613620fe0901c18a8d7efabdb8bc822
Opcode Fuzzy Hash: 4c919d1f2e4cb087f78588c0929dc2549471cc814e151b2e494739b50af8950a
Instruction Fuzzy Hash: FF617FB090024AAFDF11CF64DD89ABEBFF8EB05344F104196E991A3291DB39AD45CB61

Function 00B6DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B6DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B6DC46
_wcslen.LIBCMT ref: 00B6DC50
_wcsstr.LIBVCRUNTIME ref: 00B6DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B6DCBC

Strings

StringFileInfo\, xrefs: 00B6DC8F
DefaultLangCodepage, xrefs: 00B6DD1F
\VarFileInfo\Translation, xrefs: 00B6DCB4
04090000, xrefs: 00B6DCF2
%u.%u.%u.%u, xrefs: 00B6DD9A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3aa3d8193327607a1e7dc47a672832bb7279b6676d4c3efbcc4e2d76251483bb
Instruction ID: 9001ade61b60242e4419ed9eb775a870bff0e8bf1dce3fad716b3eb9b5899d38
Opcode Fuzzy Hash: 3aa3d8193327607a1e7dc47a672832bb7279b6676d4c3efbcc4e2d76251483bb
Instruction Fuzzy Hash: 43410432A40215BADB10B764EC43EFF7BECEF45710F5000FAF904A6192EB78990187A9

Function 00B8CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B8CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00B8CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B8CD48

Part of subcall function 00B8CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B8CCAA
Part of subcall function 00B8CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00B8CCBD
Part of subcall function 00B8CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B8CCCF
Part of subcall function 00B8CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B8CD05
Part of subcall function 00B8CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B8CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B8CCF3

Strings

RegDeleteKeyExW, xrefs: 00B8CCC9
advapi32.dll, xrefs: 00B8CCB8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3db803bd7681609ca606802bd68b3123ffa71f28fcd37597c9992eff591efbe7
Instruction ID: 048b0fc40fce5381349cd48acdd336256e83e79a4e9a1f0f6634aa2af43446a3
Opcode Fuzzy Hash: 3db803bd7681609ca606802bd68b3123ffa71f28fcd37597c9992eff591efbe7
Instruction Fuzzy Hash: 3E3160B1901129BBD720AB55DC88EFFBFBCEF45750F0001A6A905E3161DB749A45DBB0

Function 00B73D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B73D40
_wcslen.LIBCMT ref: 00B73D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B73D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B73DBE
RemoveDirectoryW.KERNEL32(?), ref: 00B73DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B73E55
CloseHandle.KERNEL32(00000000), ref: 00B73E60
CloseHandle.KERNEL32(00000000), ref: 00B73E6B

Strings

\??\%s, xrefs: 00B73D5B
\, xrefs: 00B73D77
:, xrefs: 00B73D82

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 53d7fe8d893ec8c0ef5d530a862dfa4e87e62e0d9afc8bdf86e8c924718740e3
Instruction ID: 25e0cf9f19653ab357b69e77a6a1eb59b90a96f1b96885ca20bc1fcc1ef08acb
Opcode Fuzzy Hash: 53d7fe8d893ec8c0ef5d530a862dfa4e87e62e0d9afc8bdf86e8c924718740e3
Instruction Fuzzy Hash: 91316D71904219AADB219FA0DD49FAB37F8EF88B00F1081B6F519D6160EB7497849B64

Function 00B6E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B6E6B4

Part of subcall function 00B1E551: timeGetTime.WINMM(?,?,00B6E6D4), ref: 00B1E555

Sleep.KERNEL32(0000000A), ref: 00B6E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00B6E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B6E727
SetActiveWindow.USER32 ref: 00B6E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B6E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B6E773
Sleep.KERNEL32(000000FA), ref: 00B6E77E
IsWindow.USER32 ref: 00B6E78A
EndDialog.USER32(00000000), ref: 00B6E79B

Strings

BUTTON, xrefs: 00B6E719

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: be8ca71aa53d9c547fb217eb7f53f842c1e90ae54fe824fc2aded3a83a00c7cd
Instruction ID: b4600bd22551be362365ebfbaacf5c16669c9dd01420ee07367e07d69e4c02ce
Opcode Fuzzy Hash: be8ca71aa53d9c547fb217eb7f53f842c1e90ae54fe824fc2aded3a83a00c7cd
Instruction Fuzzy Hash: 28219AB4201240BFEB015F64ED99A3A7FA9EB64748B100467F925831B2EF79EC009B24

Function 00B6E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B6EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B6EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B6EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B6EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B6EAA7

Strings

play PlayMe, xrefs: 00B6EAA2
close PlayMe, xrefs: 00B6EA6E, 00B6EA9B
play PlayMe wait, xrefs: 00B6EA91
open , xrefs: 00B6EA0C
status PlayMe mode, xrefs: 00B6EA58
alias PlayMe, xrefs: 00B6EA36

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b9167f91c002a4eef714cd7af60df84d31f5c4ad77dc163aa41c13d1393ac8b2
Instruction ID: 968bba54bfe3bee60be09ba0fb01b629ceed9766190cad9c1e1b377faa06d76b
Opcode Fuzzy Hash: b9167f91c002a4eef714cd7af60df84d31f5c4ad77dc163aa41c13d1393ac8b2
Instruction Fuzzy Hash: B2119E35A9021979D720A7A5DD4AEFF6FFCEFD5B40F0004A9B811A20E1EEB04904C6B0

Function 00B69F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B6A012
SetKeyboardState.USER32(?), ref: 00B6A07D
GetAsyncKeyState.USER32(000000A0), ref: 00B6A09D
GetKeyState.USER32(000000A0), ref: 00B6A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00B6A0E3
GetKeyState.USER32(000000A1), ref: 00B6A0F4
GetAsyncKeyState.USER32(00000011), ref: 00B6A120
GetKeyState.USER32(00000011), ref: 00B6A12E
GetAsyncKeyState.USER32(00000012), ref: 00B6A157
GetKeyState.USER32(00000012), ref: 00B6A165
GetAsyncKeyState.USER32(0000005B), ref: 00B6A18E
GetKeyState.USER32(0000005B), ref: 00B6A19C

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e1d0030f347f5b839e8273d5e6db33c4c3f92441c536c8df2732369fe3be5e95
Instruction ID: 193f26dcea0cb83979f6d1486e8b70c76a3a67cbed8bf34cf859497a063ea405
Opcode Fuzzy Hash: e1d0030f347f5b839e8273d5e6db33c4c3f92441c536c8df2732369fe3be5e95
Instruction Fuzzy Hash: B951A92090578829FF35EB6089557EABFF5DF13380F0845D9D5C2671C2DA6CAA8CCB62

Function 00B65CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B65CE2
GetWindowRect.USER32(00000000,?), ref: 00B65CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00B65D59
GetDlgItem.USER32(?,00000002), ref: 00B65D69
GetWindowRect.USER32(00000000,?), ref: 00B65D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00B65DCF
GetDlgItem.USER32(?,000003E9), ref: 00B65DDD
GetWindowRect.USER32(00000000,?), ref: 00B65DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00B65E31
GetDlgItem.USER32(?,000003EA), ref: 00B65E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B65E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00B65E67

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 130c819fbabdd8b0ed380b077290d2bb57c3069fa84fa6ce6681c17f097516e4
Instruction ID: 874c2300daaa5eb3414aef1be5d06e574d79585ead8872dddb67c9b04ee156bf
Opcode Fuzzy Hash: 130c819fbabdd8b0ed380b077290d2bb57c3069fa84fa6ce6681c17f097516e4
Instruction Fuzzy Hash: 0F510D71A00605AFDF18CFA8DD89AAEBBF5FB48300F548169F515E7290DB749E10CB60

Function 00B18BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B18BE8,?,00000000,?,?,?,?,00B18BBA,00000000,?), ref: 00B18FC5

DestroyWindow.USER32(?), ref: 00B18C81
KillTimer.USER32(00000000,?,?,?,?,00B18BBA,00000000,?), ref: 00B18D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00B56973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B18BBA,00000000,?), ref: 00B569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B18BBA,00000000,?), ref: 00B569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B18BBA,00000000), ref: 00B569D4
DeleteObject.GDI32(00000000), ref: 00B569E6

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 49d1389d8c52d76f610d7b08b087d14ab300523aafc592c9609f0e3ed582c6c7
Instruction ID: f97a4a6be35662571c572049ccffd2bf84651d99d32d7d492f82e86422f6980f
Opcode Fuzzy Hash: 49d1389d8c52d76f610d7b08b087d14ab300523aafc592c9609f0e3ed582c6c7
Instruction Fuzzy Hash: 7C618D31502700EFCB259F18DA68BA5BBF1FB44312F9449AEE4429B560CB35ADC5DF90

Function 00B19838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00B19944: GetWindowLongW.USER32(?,000000EB), ref: 00B19952

GetSysColor.USER32(0000000F), ref: 00B19862

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 10fa75bff101f08af57b5dcc62fb233171a3a96c4dd2bfc0897df27de92ea0ae
Instruction ID: 2435cad1fea82d8564e75b9803316f1b54a054dd8b5d7a7518507461f34ea32d
Opcode Fuzzy Hash: 10fa75bff101f08af57b5dcc62fb233171a3a96c4dd2bfc0897df27de92ea0ae
Instruction Fuzzy Hash: CA41B231104690AFDB205F38ACA4BF93BE5FB163B1F944686F9A2971E1DB309C81DB10

Function 00B696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00B4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00B69717
LoadStringW.USER32(00000000,?,00B4F7F8,00000001), ref: 00B69720

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00B4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00B69742
LoadStringW.USER32(00000000,?,00B4F7F8,00000001), ref: 00B69745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00B69866

Strings

Line %d (File "%s"):, xrefs: 00B6978F
Line %d:, xrefs: 00B697A0
Error: , xrefs: 00B6981D
^ ERROR, xrefs: 00B697FB
%s (%d) : ==> %s: %s %s, xrefs: 00B6984A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: c1b9fc644c438271b5fffe684e24cec368383020c574fab488ebce25ec104ec2
Instruction ID: 949bfcf61d275610ef8ae1020e2fd8f37b0b1f8c473f1aa28915f38acd53a6b3
Opcode Fuzzy Hash: c1b9fc644c438271b5fffe684e24cec368383020c574fab488ebce25ec104ec2
Instruction Fuzzy Hash: 71412D72800209AADB04EBE0CE86EEE7BFCAF55740F5400A5B60572192EB356F49CB61

Function 00B606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B60804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00B6082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B60837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B6083C

Strings

\IPC$, xrefs: 00B60784
SOFTWARE\Classes\, xrefs: 00B6070E
\CLSID, xrefs: 00B60724

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 449a612c4f105796af88db8764417ea4607105fc123a455ecff7835c9539a5a9
Instruction ID: 5fa6615bc1462121a07609d7ba970015b48d4120cde86be7dd2f3e2da7f49bf6
Opcode Fuzzy Hash: 449a612c4f105796af88db8764417ea4607105fc123a455ecff7835c9539a5a9
Instruction Fuzzy Hash: 91410C71C20229ABDF15EF94DC85DEEBBB8FF04750F4441A9E901A31A1EB745E44CBA0

Function 00B93F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B9403B
CreateCompatibleDC.GDI32(00000000), ref: 00B94042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B94055
SelectObject.GDI32(00000000,00000000), ref: 00B9405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B94068
DeleteDC.GDI32(00000000), ref: 00B94072
GetWindowLongW.USER32(?,000000EC), ref: 00B9407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00B94092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00B9409E

Strings

static, xrefs: 00B93FD3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 7bb8b47220f533999e14cecd1351b0431eac5b24921aeac2d6220a1eeb9f07a2
Instruction ID: dc3064da85078de3ae31a484892b79ca41912fc7f539f2f9653102c1b8c0319a
Opcode Fuzzy Hash: 7bb8b47220f533999e14cecd1351b0431eac5b24921aeac2d6220a1eeb9f07a2
Instruction Fuzzy Hash: BD316C32501219ABDF219FA4CD49FDA3FA8EF0E724F110261FA18E61A0DB75D821DB64

Function 00B83C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B83C5C
CoInitialize.OLE32(00000000), ref: 00B83C8A
CoUninitialize.OLE32 ref: 00B83C94
_wcslen.LIBCMT ref: 00B83D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00B83DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B83ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00B83F0E
CoGetObject.OLE32(?,00000000,00B9FB98,?), ref: 00B83F2D
SetErrorMode.KERNEL32(00000000), ref: 00B83F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B83FC4
VariantClear.OLEAUT32(?), ref: 00B83FD8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 29aa45909c262534aec574d17e212b2cc399b959f73ec60a97223ff735cfbbd1
Instruction ID: 662686d6434d86f6679cfbf5ef3193925aa22da85ca708414716a24d8a0268d8
Opcode Fuzzy Hash: 29aa45909c262534aec574d17e212b2cc399b959f73ec60a97223ff735cfbbd1
Instruction Fuzzy Hash: 4AC149716083059FD700EF68C88492BBBE9FF89B44F1049ADF9899B261DB31ED05CB52

Function 00B77A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B77AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B77B8F
SHGetDesktopFolder.SHELL32(?), ref: 00B77BA3
CoCreateInstance.OLE32(00B9FD08,00000000,00000001,00BC6E6C,?), ref: 00B77BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B77C74
CoTaskMemFree.OLE32(?,?), ref: 00B77CCC
SHBrowseForFolderW.SHELL32(?), ref: 00B77D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B77D7A
CoTaskMemFree.OLE32(00000000), ref: 00B77D81
CoTaskMemFree.OLE32(00000000), ref: 00B77DD6
CoUninitialize.OLE32 ref: 00B77DDC

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 78b0173ceb51fd0095febc8b473fe03b6bdcf7123fb5f340717a6e56a4bcc0e1
Instruction ID: 55e7846e195b0eb2200b07e0ed6188c50add4c56a0f81d4ca168e9bc0f36caa3
Opcode Fuzzy Hash: 78b0173ceb51fd0095febc8b473fe03b6bdcf7123fb5f340717a6e56a4bcc0e1
Instruction Fuzzy Hash: 63C10C75A04209AFDB14DF64C894DAEBBF9FF48304B1484A9E819DB361DB31EE45CB90

Function 00B9541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B95504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B95515
CharNextW.USER32(00000158), ref: 00B95544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B95585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B9559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B955AC

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5e196d44313ee645ea0400c62c3372b9ef782cc56001d0e706ee6c701b2b8ebf
Instruction ID: 94c26c6b88b9b971b978b764c345f4dc019d9e95847d63529022b2276df86a9c
Opcode Fuzzy Hash: 5e196d44313ee645ea0400c62c3372b9ef782cc56001d0e706ee6c701b2b8ebf
Instruction Fuzzy Hash: 8961A071940608EFEF228F54CC84AFE7BF9EB05720F1081A5F925A7291DB749A81DB60

Function 00B5FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B5FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00B5FB08
VariantInit.OLEAUT32(?), ref: 00B5FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B5FB3A
VariantCopy.OLEAUT32(?,?), ref: 00B5FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B5FBA1
VariantClear.OLEAUT32(?), ref: 00B5FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00B5FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B5FBCC
VariantClear.OLEAUT32(?), ref: 00B5FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B5FBE9

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 4d100f1d70421cbc87808e58004d87f1104945dc46febe1b5ea024105096b573
Instruction ID: 8f96cb63e8f4fbe3b52c21665b159580652a24c0b20e9ed5fc59f400280bbc31
Opcode Fuzzy Hash: 4d100f1d70421cbc87808e58004d87f1104945dc46febe1b5ea024105096b573
Instruction Fuzzy Hash: 18414E35A0021ADFCF00DF64D954AADBFB9EF08345F0080A5E915A7361CB30A945CFA1

Function 00B69C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B69CA1
GetAsyncKeyState.USER32(000000A0), ref: 00B69D22
GetKeyState.USER32(000000A0), ref: 00B69D3D
GetAsyncKeyState.USER32(000000A1), ref: 00B69D57
GetKeyState.USER32(000000A1), ref: 00B69D6C
GetAsyncKeyState.USER32(00000011), ref: 00B69D84
GetKeyState.USER32(00000011), ref: 00B69D96
GetAsyncKeyState.USER32(00000012), ref: 00B69DAE
GetKeyState.USER32(00000012), ref: 00B69DC0
GetAsyncKeyState.USER32(0000005B), ref: 00B69DD8
GetKeyState.USER32(0000005B), ref: 00B69DEA

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6bdf252abb98800597c90db48d27297a49df4300a795537398b8a6e2744eccea
Instruction ID: cdc115fce61a809db9b4c86edcfd2d52f627835997646a25d3f71777a1538b89
Opcode Fuzzy Hash: 6bdf252abb98800597c90db48d27297a49df4300a795537398b8a6e2744eccea
Instruction Fuzzy Hash: 1341C4345047C969FF30866489043B5BEE8EF21344F0480FADAC6575C2DBB999D8C7A2

Function 00B8055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B805BC
inet_addr.WSOCK32(?), ref: 00B8061C
gethostbyname.WSOCK32(?), ref: 00B80628
IcmpCreateFile.IPHLPAPI ref: 00B80636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00B807B9
WSACleanup.WSOCK32 ref: 00B807BF

Strings

Ping, xrefs: 00B80676

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 132cfeef77623fe0a9e243ebac879f19393ee65b0099ba07f12be28acb40b4c9
Instruction ID: 8064291ebaae7a526ce5245ef28f432fa21fdecd0e86703f2ed15a464d2bf269
Opcode Fuzzy Hash: 132cfeef77623fe0a9e243ebac879f19393ee65b0099ba07f12be28acb40b4c9
Instruction Fuzzy Hash: 98918E356182419FD360EF15C988F1ABBE0EF44358F1485E9E4699B6B2CB30ED49CF91

Function 00B88CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00B88CF3

Part of subcall function 00B68E54: _wcslen.LIBCMT ref: 00B68E77

_wcslen.LIBCMT ref: 00B88D4E
_wcslen.LIBCMT ref: 00B88D9C
_wcslen.LIBCMT ref: 00B88DDC
_wcslen.LIBCMT ref: 00B88E6E

Strings

stdcall, xrefs: 00B88DD6, 00B88DDB
winapi, xrefs: 00B88D96, 00B88D9B
none, xrefs: 00B88E65, 00B88E6A
cdecl, xrefs: 00B88D48, 00B88D4D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5110be49ab6cab80d88e718f209234915dd9160bb6dfb808a936597a2ebbb9b0
Instruction ID: ca27f407c9a8c1f6a5575e3cb472418afc0aeb68377213241a757015fce1271a
Opcode Fuzzy Hash: 5110be49ab6cab80d88e718f209234915dd9160bb6dfb808a936597a2ebbb9b0
Instruction Fuzzy Hash: 33519331A001169BCB14EF6CC9809BEB7E6FF64725BA042A9E426E72D5DF31DD40C790

Function 00B8372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00B83774
CoUninitialize.OLE32 ref: 00B8377F
CoCreateInstance.OLE32(?,00000000,00000017,00B9FB78,?), ref: 00B837D9
IIDFromString.OLE32(?,?), ref: 00B8384C
VariantInit.OLEAUT32(?), ref: 00B838E4
VariantClear.OLEAUT32(?), ref: 00B83936

Strings

Invalid parameter, xrefs: 00B83865
Failed to create object, xrefs: 00B837E4, 00B8389A
NULL Pointer assignment, xrefs: 00B8381E

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1fea3febd9cec7dd5d890c7d5a0dc821f94f40baca05d3dbb005885dc25af769
Instruction ID: f67e11f2f40819110c5821b920bb89ef75dc132ec894ed69f4891e6a29918f77
Opcode Fuzzy Hash: 1fea3febd9cec7dd5d890c7d5a0dc821f94f40baca05d3dbb005885dc25af769
Instruction Fuzzy Hash: 7D618074608301AFD710EF54C889F6ABBE4EF45B10F104899F5859B2A1DB70EE48CB92

Function 00B73388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B733CF

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B733F0

Strings

Line %d (File "%s"):, xrefs: 00B73443, 00B7345C
^ ERROR , xrefs: 00B7349E
Incorrect parameters to object property !, xrefs: 00B734AB
Error: , xrefs: 00B734D1
"%s" (%d) : ==> %s:, xrefs: 00B73522
"%s" (%d) : ==> %s:%s%s, xrefs: 00B73504

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: e4595864bd31f160a96db96082fbbd984aed9bd2194cd1fb898b3db55e7b1fb3
Instruction ID: 1456a72027e4ee11134c7aad260a2e0804fc8c1b13a872c1e06f0eba866f7641
Opcode Fuzzy Hash: e4595864bd31f160a96db96082fbbd984aed9bd2194cd1fb898b3db55e7b1fb3
Instruction Fuzzy Hash: 15518D71900209BADF18EBA0CD56EEEBBF8EF14740F1484A5F505721A2EB352F58DB60

Function 00B6B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B6B5FC
_wcslen.LIBCMT ref: 00B6B608
_wcslen.LIBCMT ref: 00B6B64D
_wcslen.LIBCMT ref: 00B6B68C
_wcslen.LIBCMT ref: 00B6B6C7

Strings

REMOVE, xrefs: 00B6B602, 00B6B607
EXISTS, xrefs: 00B6B686, 00B6B68B
KEYS, xrefs: 00B6B647, 00B6B64C
APPEND, xrefs: 00B6B6C1, 00B6B6C6

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 0f39b3d4422f7f4b1bfe492970c93bed3dbed3b81452d494cbd3df03a382fb0a
Instruction ID: d369000e62dc1ce894c79a3c025e1dc725bd2fd70c27898808fe40e8ebb1c1ab
Opcode Fuzzy Hash: 0f39b3d4422f7f4b1bfe492970c93bed3dbed3b81452d494cbd3df03a382fb0a
Instruction Fuzzy Hash: E741C433A001269ACB205F7DC990DBEB7F5EBA0754B2445AAE825DB284E739CDC1C790

Function 00B75393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B75416
GetLastError.KERNEL32 ref: 00B75420
SetErrorMode.KERNEL32(00000000,READY), ref: 00B754A7

Strings

READONLY, xrefs: 00B75452
INVALID, xrefs: 00B75459
UNKNOWN, xrefs: 00B75444
READY, xrefs: 00B75460, 00B75468
NOTREADY, xrefs: 00B7544B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1090ebaec1acc8f78f3b8c6418e4b1115aeaf7aa89f489a67bd1265821d5288f
Instruction ID: 7ee68e2293b7f6d1e321433c2fae94e36708f5d3c1b928d4e4109ce18aa2eab8
Opcode Fuzzy Hash: 1090ebaec1acc8f78f3b8c6418e4b1115aeaf7aa89f489a67bd1265821d5288f
Instruction Fuzzy Hash: CB318F36A005049FD720DF68C484EAA7BE4EF05305F14C0A9E51ADB396DBB1DD82CB90

Function 00B93C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00B93C79
SetMenu.USER32(?,00000000), ref: 00B93C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B93D10
IsMenu.USER32(?), ref: 00B93D24
CreatePopupMenu.USER32 ref: 00B93D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B93D5B
DrawMenuBar.USER32 ref: 00B93D63

Strings

F, xrefs: 00B93D4E
0, xrefs: 00B93C54

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 32bb8ba0aed18de14726ea88fbcbdd0fe81f8d0a1a7abf477c4f91c6137f012e
Instruction ID: bfc0f0541998c5564f358a2c520c6d5cf11d2706189b3b35f442d84c7654ee25
Opcode Fuzzy Hash: 32bb8ba0aed18de14726ea88fbcbdd0fe81f8d0a1a7abf477c4f91c6137f012e
Instruction Fuzzy Hash: A7419CB4A01209EFDF14CFA4D9A4AAA7BF5FF49300F140069F91697360DB30AA10CF90

Function 00B61EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00B61F64
GetDlgCtrlID.USER32 ref: 00B61F6F
GetParent.USER32 ref: 00B61F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B61F8E
GetDlgCtrlID.USER32(?), ref: 00B61F97
GetParent.USER32(?), ref: 00B61FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B61FAE

Strings

ComboBox, xrefs: 00B61EEC
ListBox, xrefs: 00B61F21

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ff84a326fa4f32aec776d8b8d42f7f8bc0515688e11776401f348a6fc65e1f72
Instruction ID: 4d718aef6c53601422c6653fa278d48fa635cc690932b4e26db17ce957bcefaa
Opcode Fuzzy Hash: ff84a326fa4f32aec776d8b8d42f7f8bc0515688e11776401f348a6fc65e1f72
Instruction Fuzzy Hash: EF21BE71900214BBCF14AFA4CC85EEEBFF8EF15350F004596F961A72E2CB3959189B60

Function 00B61FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00B62043
GetDlgCtrlID.USER32 ref: 00B6204E
GetParent.USER32 ref: 00B6206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B6206D
GetDlgCtrlID.USER32(?), ref: 00B62076
GetParent.USER32(?), ref: 00B6208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B6208D

Strings

ComboBox, xrefs: 00B61FCD
ListBox, xrefs: 00B62002

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a795bbd60120527727640631ec1723bf69bafa46eb16a4bbefad34bc3a7a4921
Instruction ID: 4855a24ea75b51699f93ff7c2536765d2a89f4a70665d5dcfa866679727a664b
Opcode Fuzzy Hash: a795bbd60120527727640631ec1723bf69bafa46eb16a4bbefad34bc3a7a4921
Instruction Fuzzy Hash: 5E21A1B5D00218BBDF14AFA0CC85EEEBFF8EF15340F004096F951A72A2DA795954DB60

Function 00B93A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B93A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B93AA0
GetWindowLongW.USER32(?,000000F0), ref: 00B93AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B93AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B93B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00B93BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00B93BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00B93BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00B93BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00B93C13

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: de038301ed41cb8575b4aa567ed6135cc23699657544e3d9ae4939fb9d9c0c29
Instruction ID: 1753e8f4c8da1a4c9c198c26ba7469518b0841a831db4ec2f0e1bb0df6893efa
Opcode Fuzzy Hash: de038301ed41cb8575b4aa567ed6135cc23699657544e3d9ae4939fb9d9c0c29
Instruction Fuzzy Hash: 58616C75900248AFDF10DFA8CC91EEE77F8EB09700F1045AAFA15A72A2D774AE45DB50

Function 00B32C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B32C94

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B32CA0
_free.LIBCMT ref: 00B32CAB
_free.LIBCMT ref: 00B32CB6
_free.LIBCMT ref: 00B32CC1
_free.LIBCMT ref: 00B32CCC
_free.LIBCMT ref: 00B32CD7
_free.LIBCMT ref: 00B32CE2
_free.LIBCMT ref: 00B32CED
_free.LIBCMT ref: 00B32CFB

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0d9d63ac56a35a841f7ac742c274036f345adb4123102123c4eaf4a6d77236de
Instruction ID: 1f3cb0ba10674a7c14eef15023f3d25467f179778b381ef866f6241962e540a7
Opcode Fuzzy Hash: 0d9d63ac56a35a841f7ac742c274036f345adb4123102123c4eaf4a6d77236de
Instruction Fuzzy Hash: 1A117476500118AFCB02EF54E982DDD7BA5FF05350FA146E5FA489F322DA31EE509B90

Function 00B77DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B77FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00B77FC1
GetFileAttributesW.KERNEL32(?), ref: 00B77FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B78005
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78017
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B780B0

Strings

*.*, xrefs: 00B78066

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 8f1515f113c220e66632a4f0f91b3faa977cd4d89f4a021dc4df21a98bc49256
Instruction ID: e89ae00c8adb80eaacfc51ded7a9729fb59b382b45fb2d0330821e947aea9ad2
Opcode Fuzzy Hash: 8f1515f113c220e66632a4f0f91b3faa977cd4d89f4a021dc4df21a98bc49256
Instruction Fuzzy Hash: A5818F725482419FDB20DF14C8849AEB7E8EB89314F148CDAF8ADD7250EB74DD498B92

Function 00B05BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B05C7A

Part of subcall function 00B05D0A: GetClientRect.USER32(?,?), ref: 00B05D30
Part of subcall function 00B05D0A: GetWindowRect.USER32(?,?), ref: 00B05D71
Part of subcall function 00B05D0A: ScreenToClient.USER32(?,?), ref: 00B05D99

GetDC.USER32 ref: 00B446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B44708
SelectObject.GDI32(00000000,00000000), ref: 00B44716
SelectObject.GDI32(00000000,00000000), ref: 00B4472B
ReleaseDC.USER32(?,00000000), ref: 00B44733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B447C4

Strings

U, xrefs: 00B44693

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3275e0cc1b06b949e449400f7c831acc7c6756e0cf1e2b1396de1c823af36188
Instruction ID: a1b3c30ae2f5a1d2c6c1f92c541b01f5a88cf1b80d85da47adc4947ab548ca20
Opcode Fuzzy Hash: 3275e0cc1b06b949e449400f7c831acc7c6756e0cf1e2b1396de1c823af36188
Instruction Fuzzy Hash: A871CF31400205EFDF218F64C984BBA7BF5FF4A360F1442EAE9555A1A6CB319D62EF60

Function 00B7359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00B735E4

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

LoadStringW.USER32(00BD2390,?,00000FFF,?), ref: 00B7360A

Strings

Line %d (File "%s"):, xrefs: 00B7366B
Error: , xrefs: 00B736EF
"%s" (%d) : ==> %s:, xrefs: 00B73742
"%s" (%d) : ==> %s:%s%s, xrefs: 00B73724
^ ERROR, xrefs: 00B736C9

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: a7817616eda767b7280904b6cde025f8a238d3ffb98fa464aa2987607c85f366
Instruction ID: 63245d6e051dfb06fbc9dc1481ff47fd25f0e78ad6a7e2ebbfbd545967e0a73a
Opcode Fuzzy Hash: a7817616eda767b7280904b6cde025f8a238d3ffb98fa464aa2987607c85f366
Instruction Fuzzy Hash: B3516F71900209BADF15EBA0CC82EEEBFF8EF04750F1441A5F115721A2EB315A99DFA4

Function 00B98B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

Part of subcall function 00B1912D: GetCursorPos.USER32(?), ref: 00B19141
Part of subcall function 00B1912D: ScreenToClient.USER32(00000000,?), ref: 00B1915E
Part of subcall function 00B1912D: GetAsyncKeyState.USER32(00000001), ref: 00B19183
Part of subcall function 00B1912D: GetAsyncKeyState.USER32(00000002), ref: 00B1919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00B98B6B
ImageList_EndDrag.COMCTL32 ref: 00B98B71
ReleaseCapture.USER32 ref: 00B98B77
SetWindowTextW.USER32(?,00000000), ref: 00B98C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B98C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00B98CFF

Strings

@GUI_DROPID, xrefs: 00B98C51
@GUI_DRAGFILE, xrefs: 00B98C9A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: c35863480eed9c4720f33677f0f96599892855fab8e2cf493bb0192fee322492
Instruction ID: 1ac7ee064c0ffc40eed935a381480ddcf57022786317789b01e219bd5c286763
Opcode Fuzzy Hash: c35863480eed9c4720f33677f0f96599892855fab8e2cf493bb0192fee322492
Instruction Fuzzy Hash: 49518C71505300AFDB00DF14DCA6FAA7BE4FB89710F400AAEF956672E2DB709944CB62

Function 00B7C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B7C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B7C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B7C2CA
GetLastError.KERNEL32 ref: 00B7C322
SetEvent.KERNEL32(?), ref: 00B7C336
InternetCloseHandle.WININET(00000000), ref: 00B7C341

Strings

, xrefs: 00B7C2BB

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fb5612042e5734b993351a1e9b15cb034e30455d68c7b21a4d415e48dd0d3d0a
Instruction ID: 3b36ecfc8971473d83248c5a29dc4423f451538dd3d535b17406e1a35162c47d
Opcode Fuzzy Hash: fb5612042e5734b993351a1e9b15cb034e30455d68c7b21a4d415e48dd0d3d0a
Instruction Fuzzy Hash: E33178B1600608AFDB219FA48D88AAB7FFCEB49744F10C55EF49A93201DB34ED049B74

Function 00B6989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B43AAF,?,?,Bad directive syntax error,00B9CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B698BC
LoadStringW.USER32(00000000,?,00B43AAF,?), ref: 00B698C3

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B69987

Strings

., xrefs: 00B6996D
%s (%d) : ==> %s.: %s %s, xrefs: 00B698F1
Line %d (File "%s"):, xrefs: 00B6992D
Line %d:, xrefs: 00B69912
Error: , xrefs: 00B69955

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: e7b33cca79bd0ff170d390564b2c80674f2ec84d154a7807e5a02c0951abe128
Instruction ID: ed3a72f8cab88a82c97c4c952483a68d477289521b07a83309d3f52b44e4489a
Opcode Fuzzy Hash: e7b33cca79bd0ff170d390564b2c80674f2ec84d154a7807e5a02c0951abe128
Instruction Fuzzy Hash: 9F218031C1021AABCF15AF90CC4AEEE7BF9FF18740F0444AAF515620E2EB359658DB50

Function 00B6209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00B620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B6214D

Strings

largeicons, xrefs: 00B620E1
smallicons, xrefs: 00B62115
details, xrefs: 00B620FB
SHELLDLL_DefView, xrefs: 00B620CC
list, xrefs: 00B6212F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 263d0aa4c19fefbe2e708cc8e885c044ea9606bc0a2127b445ab7c4e220dbd94
Instruction ID: 35e72c873156cc2e021651eaa0081095351dceacc1cf2054ec575834b08a5009
Opcode Fuzzy Hash: 263d0aa4c19fefbe2e708cc8e885c044ea9606bc0a2127b445ab7c4e220dbd94
Instruction Fuzzy Hash: D2110A7768CB16B9FA116720EC06DA67BDCDB16324B2000EAFB08B50E1EE656C415514

Function 00B38D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412521f4fc2cc3cd17f5126dcb8d5873737179608f0fdf3e2e09f96f974e0436
Instruction ID: 505264239c1354a24d97d195ffe150891810b0d540e808d0be9dd31369090bac
Opcode Fuzzy Hash: 412521f4fc2cc3cd17f5126dcb8d5873737179608f0fdf3e2e09f96f974e0436
Instruction Fuzzy Hash: DEC1E174904359AFDB15EFA8D881BADBBF0EF09310F2441D9F419A7392CB749941CB61

Function 00B3CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B3CEB7
_free.LIBCMT ref: 00B3CF22
_free.LIBCMT ref: 00B3CF48
_free.LIBCMT ref: 00B3CF71
_free.LIBCMT ref: 00B3CFA9
_free.LIBCMT ref: 00B3CFDA
_free.LIBCMT ref: 00B3D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B3D09C
_free.LIBCMT ref: 00B3D0B5

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 50d78a3304ac45e6ccb458150dfd69382de94996b0628f1a0dddf7a1153aeff0
Instruction ID: 5251a8fdcd8e1f8e7424e600f59cad3e4a1168e4975f5a67cf9c2890caee6aeb
Opcode Fuzzy Hash: 50d78a3304ac45e6ccb458150dfd69382de94996b0628f1a0dddf7a1153aeff0
Instruction Fuzzy Hash: 9861E571905311AFDB25AFF8A891B69BFE6EF05310F3441FEF944A7241EA329905C750

Function 00B950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00B95186
ShowWindow.USER32(?,00000000), ref: 00B951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00B951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00B951D1

Part of subcall function 00B96FBA: DeleteObject.GDI32(00000000), ref: 00B96FE6

GetWindowLongW.USER32(?,000000F0), ref: 00B9520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B9521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B9524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00B95287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00B95296

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 890b88fc03f6df1f4bfc27d6a40b9ad4b6fd15d0e3155a80e2e3f2c081fb03cb
Instruction ID: 7b5edc53f5e19693cdbddfb2f7db15b5e47af8e0ca2e407495a2a424ea1aa96b
Opcode Fuzzy Hash: 890b88fc03f6df1f4bfc27d6a40b9ad4b6fd15d0e3155a80e2e3f2c081fb03cb
Instruction Fuzzy Hash: 4751B130AD0A18BFEF329F24CC46BD93BE5EB05321F1480A2F615A62E1C775A981DB40

Function 00B18B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00B56890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00B568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00B568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B18874,00000000,00000000,00000000,000000FF,00000000), ref: 00B56901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B5691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B18874,00000000,00000000,00000000,000000FF,00000000), ref: 00B5692D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: c826000016347cf2582a4f0a5f8375252743da7289ea79624361a4c71c085b74
Instruction ID: 9238aa37a4ad79a1d2a0fc6c74575a07b17da6e6886045a763636bf159688bb9
Opcode Fuzzy Hash: c826000016347cf2582a4f0a5f8375252743da7289ea79624361a4c71c085b74
Instruction Fuzzy Hash: 33519970A00209EFDB20CF24CCA5BAA7BF5FF58760F504599F906972A0DB71E991DB50

Function 00B7C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B7C182
GetLastError.KERNEL32 ref: 00B7C195
SetEvent.KERNEL32(?), ref: 00B7C1A9

Part of subcall function 00B7C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B7C272
Part of subcall function 00B7C253: GetLastError.KERNEL32 ref: 00B7C322
Part of subcall function 00B7C253: SetEvent.KERNEL32(?), ref: 00B7C336
Part of subcall function 00B7C253: InternetCloseHandle.WININET(00000000), ref: 00B7C341

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 49c391d85ff356768cf0af2c4ec3996e7a39621808f79752414cdc379b9c4356
Instruction ID: 7280f0d28724a2a512c2d337695b48e46b9d0488c5dbda80ff36cb65647df1ee
Opcode Fuzzy Hash: 49c391d85ff356768cf0af2c4ec3996e7a39621808f79752414cdc379b9c4356
Instruction Fuzzy Hash: B1319C71200601AFDB219FF5DD44A66BFF8FF18300B50846EF96A83612DB30E914DBA0

Function 00B625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B63A57
Part of subcall function 00B63A3D: GetCurrentThreadId.KERNEL32 ref: 00B63A5E
Part of subcall function 00B63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B625B3), ref: 00B63A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B62601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B62605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B6260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B62623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B62627

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e00ecf2450208e796a98f032bd09aaee57f3b5d3b6c79cde20a68799b1e523e7
Instruction ID: 1f249fe4030d7c1dabb95057296fa76bc0f33a4053ec11d7d77c664d6df7fc57
Opcode Fuzzy Hash: e00ecf2450208e796a98f032bd09aaee57f3b5d3b6c79cde20a68799b1e523e7
Instruction Fuzzy Hash: A901D830390620BBFB106769DC8AF593F99DF4EB51F100012F318AF0E1CDE11444DA69

Function 00B61803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00B61449,?,?,00000000), ref: 00B6180C
HeapAlloc.KERNEL32(00000000,?,00B61449,?,?,00000000), ref: 00B61813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B61449,?,?,00000000), ref: 00B61828
GetCurrentProcess.KERNEL32(?,00000000,?,00B61449,?,?,00000000), ref: 00B61830
DuplicateHandle.KERNEL32(00000000,?,00B61449,?,?,00000000), ref: 00B61833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B61449,?,?,00000000), ref: 00B61843
GetCurrentProcess.KERNEL32(00B61449,00000000,?,00B61449,?,?,00000000), ref: 00B6184B
DuplicateHandle.KERNEL32(00000000,?,00B61449,?,?,00000000), ref: 00B6184E
CreateThread.KERNEL32(00000000,00000000,00B61874,00000000,00000000,00000000), ref: 00B61868

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3d89e1d27285a677ca69eaec7a344767838c9a1e40f8af93d6dcc0f2a0eb5c91
Instruction ID: f5443b3ffaf9aa15ffce82d29b5cbf5a9af8cf633084b9cced82fcc65e9ec7ab
Opcode Fuzzy Hash: 3d89e1d27285a677ca69eaec7a344767838c9a1e40f8af93d6dcc0f2a0eb5c91
Instruction Fuzzy Hash: 0801BF75240304BFE710AB65DD4DF5B3FACEB89B11F504411FA05DB1A1CA749800CB34

Function 00B8A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00B6D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00B6D501
Part of subcall function 00B6D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00B6D50F
Part of subcall function 00B6D4DC: CloseHandle.KERNELBASE(00000000), ref: 00B6D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B8A16D
GetLastError.KERNEL32 ref: 00B8A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B8A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B8A268
GetLastError.KERNEL32(00000000), ref: 00B8A273
CloseHandle.KERNEL32(00000000), ref: 00B8A2C4

Strings

SeDebugPrivilege, xrefs: 00B8A18F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3406cb7d0b48576cd24cefb84d0b6eb529169f9cab939d518a5d4a68d35717c3
Instruction ID: 6c35887d594986b6592fa9d0849124fc79dfe650f4da7f31c7fe2206eb70a320
Opcode Fuzzy Hash: 3406cb7d0b48576cd24cefb84d0b6eb529169f9cab939d518a5d4a68d35717c3
Instruction Fuzzy Hash: 3B616B702082429FE720EF19C494F15BBE5AF44318F1884DDE4668B7A3CB76ED49CB92

Function 00B93886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B93925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00B9393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B93954
_wcslen.LIBCMT ref: 00B93999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B939F4

Strings

SysListView32, xrefs: 00B938F7

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 32ca671836520b7580ecb842c97a596ec374bf9f307d32121027f1d44add97d9
Instruction ID: 89586ca7e0cebcc7bc8e62add0c3a6d5d8d61068828e3f95187372c1f74a9e5f
Opcode Fuzzy Hash: 32ca671836520b7580ecb842c97a596ec374bf9f307d32121027f1d44add97d9
Instruction Fuzzy Hash: 0F41A371A00218ABEF219F64CC85FEA7BE9EF08750F1005A6F959E7291D7719E80CB90

Function 00B6BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B6BCFD
IsMenu.USER32(00000000), ref: 00B6BD1D
CreatePopupMenu.USER32 ref: 00B6BD53
GetMenuItemCount.USER32(01635870), ref: 00B6BDA4
InsertMenuItemW.USER32(01635870,?,00000001,00000030), ref: 00B6BDCC

Strings

0, xrefs: 00B6BCA8
2, xrefs: 00B6BD37

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: e80d94e2aa91820be48d7e168a7052d36da53279e0901cd60f5d12b553faeedb
Instruction ID: abfa2cb1fbddd2e8c4ccedb65fc363e3af52a6467096a00a30691a54f61c9c28
Opcode Fuzzy Hash: e80d94e2aa91820be48d7e168a7052d36da53279e0901cd60f5d12b553faeedb
Instruction Fuzzy Hash: 32519E70A00205ABDF20CFA8D9C4FAEBBF8FF55314F1442AAE455DB291D7789981CB61

Function 00B6C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B6C913

Strings

info, xrefs: 00B6C8B4
blank, xrefs: 00B6C895
stop, xrefs: 00B6C8E4
question, xrefs: 00B6C8CC
warning, xrefs: 00B6C8FC

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3dae02ab501efefe20e0ce2d20b11b3ec7ff15c9232b014e7fdd493c65cefa9a
Instruction ID: 569831104e1f752be5714ab5af8c5a413c9bebd89c221ebf8339073c8ab3bb15
Opcode Fuzzy Hash: 3dae02ab501efefe20e0ce2d20b11b3ec7ff15c9232b014e7fdd493c65cefa9a
Instruction Fuzzy Hash: 6C110A32789306BAE7069B54AC83DBA6BDCDF16354B2004FFF944E62C2E7B85E005264

Function 00B6DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B6DE42
gethostname.WSOCK32(?,00000100), ref: 00B6DE5C
gethostbyname.WSOCK32(?), ref: 00B6DE69
inet_ntoa.WSOCK32(?), ref: 00B6DEAB
_strcat.LIBCMT ref: 00B6DEB9
WSACleanup.WSOCK32 ref: 00B6DEDE

Strings

0.0.0.0, xrefs: 00B6DE87

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 525841287f81f9265051f51926583383251ff56e9272ff14f0b75c0a61a60b6f
Instruction ID: ca2cf30e7f48cf2b26af14ddb6427c81b69459ab17b92aaf93ff13a88f88becb
Opcode Fuzzy Hash: 525841287f81f9265051f51926583383251ff56e9272ff14f0b75c0a61a60b6f
Instruction Fuzzy Hash: BE11DA71A04115AFCF20AB609D4AEEE7BECDF11711F1501EAF54997091EFB98A818AA0

Function 00B99F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

GetSystemMetrics.USER32(0000000F), ref: 00B99FC7
GetSystemMetrics.USER32(0000000F), ref: 00B99FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B9A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B9A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B9A263
ShowWindow.USER32(00000003,00000000), ref: 00B9A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00B9A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B9A2CA

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e290be106f5bb95e4de389467452581b0cb6918d36aeefef30058a5b5b67f09a
Instruction ID: e24225de890636281bdb290766a77ed7c82734e01a0322ed405df320437b81d2
Opcode Fuzzy Hash: e290be106f5bb95e4de389467452581b0cb6918d36aeefef30058a5b5b67f09a
Instruction Fuzzy Hash: 27B16931600225EBDF14CF68C9857AE7BF2FF45701F1980B9EC49AB295DB31A940CBA1

Function 00B6ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B6ED2A
_wcslen.LIBCMT ref: 00B6ED3B
_wcslen.LIBCMT ref: 00B6ED79
_wcslen.LIBCMT ref: 00B6EDAF
_wcslen.LIBCMT ref: 00B6EDDF
_wcslen.LIBCMT ref: 00B6EDEF
_wcslen.LIBCMT ref: 00B6EE2B
_wcslen.LIBCMT ref: 00B6EE5A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 53024166e61af102c0df2e5999a762e89420149ac4c17b9f3c7d7b46a19507fa
Instruction ID: 5bcfea85b39cb3f1ad8e90067b19188591010c4bd5a83eaf320965fde9cc6b22
Opcode Fuzzy Hash: 53024166e61af102c0df2e5999a762e89420149ac4c17b9f3c7d7b46a19507fa
Instruction Fuzzy Hash: CB41A365C10228B5CB11EBF4DC8A9CFB7E8AF49710F5084A6E52CE3121FB38E655C3A5

Function 00B1F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B5682C,00000004,00000000,00000000), ref: 00B1F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00B5682C,00000004,00000000,00000000), ref: 00B5F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B5682C,00000004,00000000,00000000), ref: 00B5F454

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 36430d78a5c881d1231bcf9f6045d33cacd8ac3a8846f2ca1d9881e79be88271
Instruction ID: 68438e67b3bf05d458537913531058741db514e64be15e0b7d9fb26dc5cf2ba5
Opcode Fuzzy Hash: 36430d78a5c881d1231bcf9f6045d33cacd8ac3a8846f2ca1d9881e79be88271
Instruction Fuzzy Hash: 64416C30508282BAD734AB6C89D87BABFD2EB463A0FD844FDE44753660DA35D8C1CB10

Function 00B92D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B92D1B
GetDC.USER32(00000000), ref: 00B92D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B92D2E
ReleaseDC.USER32(00000000,00000000), ref: 00B92D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B92D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B92D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B95A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00B92DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B92DE1

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 76ba475c19f740e7870cd19c4a46684d2292bfad0099493fc2c3d13d48eb45da
Instruction ID: 538d8807bd6e27f86ab7fe991d7319f974613b946c5234a20861ecf8c01e8621
Opcode Fuzzy Hash: 76ba475c19f740e7870cd19c4a46684d2292bfad0099493fc2c3d13d48eb45da
Instruction Fuzzy Hash: 6D316B72201214BBEF118F508D8AFEB3FA9EF09715F044066FE089B291CA759C50CBB4

Function 00B65622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B65637
_memcmp.LIBVCRUNTIME ref: 00B65659
_memcmp.LIBVCRUNTIME ref: 00B65671
_memcmp.LIBVCRUNTIME ref: 00B65684
_memcmp.LIBVCRUNTIME ref: 00B6569E
_memcmp.LIBVCRUNTIME ref: 00B656B1
_memcmp.LIBVCRUNTIME ref: 00B656C9
_memcmp.LIBVCRUNTIME ref: 00B656E4

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ea788eb2225b797034869a7c00c6db08b7a4312d5ab98a0dda36c8f09fc8ebb0
Instruction ID: e387994279d4b77293f7ae5a5f545fcf6708b5efed452063baa133ae6442ae58
Opcode Fuzzy Hash: ea788eb2225b797034869a7c00c6db08b7a4312d5ab98a0dda36c8f09fc8ebb0
Instruction Fuzzy Hash: D321A762641A1A77D6249E24DD82FBA33DDEF213A4F4440F0FD089A581F728ED30C1A9

Function 00B84FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00B85007
NULL Pointer assignment, xrefs: 00B8502E, 00B85383

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9010e29b0c32fbf18762ad21929c87b9b223ecf5759360cbaed2c41f90efcadc
Instruction ID: e660589fcac2ca0dc26b098b9a4261703406691aade603c440ceec507f3ccf2d
Opcode Fuzzy Hash: 9010e29b0c32fbf18762ad21929c87b9b223ecf5759360cbaed2c41f90efcadc
Instruction Fuzzy Hash: C4D1B375A0060A9FDF20EFA8C885BAEB7F5FF48344F1480A9E915AB2A1D770DD45CB50

Function 00B41522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00B417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00B415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00B417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00B41651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00B417FB,?,00B417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00B416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00B417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00B416FB

Part of subcall function 00B33820: RtlAllocateHeap.NTDLL(00000000,?,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6,?,00B01129), ref: 00B33852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00B417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00B41777
__freea.LIBCMT ref: 00B417A2
__freea.LIBCMT ref: 00B417AE

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f87961bc1a1524878c700d8b9438808c0064542d4ca5589e4de8248471bd8ed1
Instruction ID: 62502238a2bc3fa68e844b0fa9edd05a5769977878043fe0b1f8f2af11ee2b02
Opcode Fuzzy Hash: f87961bc1a1524878c700d8b9438808c0064542d4ca5589e4de8248471bd8ed1
Instruction Fuzzy Hash: 8391B371E102169ADF208F7CC881AEE7BF5EF59750F184A99E805E7141EB35DE80EB60

Function 00B84523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B84648
VariantInit.OLEAUT32(?), ref: 00B84749
VariantClear.OLEAUT32(?), ref: 00B84753
VariantClear.OLEAUT32(?), ref: 00B847B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00B8472C
Null Object assignment in FOR..IN loop, xrefs: 00B845D8, 00B84706, 00B847BE

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 16c5869bd7736191073750cca5c8cba4184e2fbea016c5b6faffb833675e93f8
Instruction ID: 73dcb491d1a9254f28b50cc5c600a0d8ae7f7ca92f14777ce15e75f8b42fea65
Opcode Fuzzy Hash: 16c5869bd7736191073750cca5c8cba4184e2fbea016c5b6faffb833675e93f8
Instruction Fuzzy Hash: 76918075A00216ABDF20DFA4C884FAEBBF8EF46710F108599F515AB290D7709D45CFA0

Function 00B71187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00B7125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B71284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00B712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B7135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B71430

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 27d0ede419191ee02ad0ca63e5ee2bc37601d74e2ac01171da6a3c65a99dba89
Instruction ID: 0eea9453e7346164e4332519162182a095ee88a193a4bf2dec3c6bf8474639cd
Opcode Fuzzy Hash: 27d0ede419191ee02ad0ca63e5ee2bc37601d74e2ac01171da6a3c65a99dba89
Instruction Fuzzy Hash: D091D171A00209AFDB00DFACD885BBE77F5FF45311F1588A9E924EB292D774A941CB60

Function 00B1948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 81f64bc2b8a76bcb6b7e41a9a8b56be264a0ac129c7438695548d7a8b60f5255
Instruction ID: eeb9f867c681b6da123c9e123590e868c5af5073464b010a1d16132e59e95f62
Opcode Fuzzy Hash: 81f64bc2b8a76bcb6b7e41a9a8b56be264a0ac129c7438695548d7a8b60f5255
Instruction Fuzzy Hash: 80912671E40219EFCB10CFA9C884AEEBBF9FF49320F544095E915B7251D774AA82CB60

Function 00B83947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B8396B
CharUpperBuffW.USER32(?,?), ref: 00B83A7A
_wcslen.LIBCMT ref: 00B83A8A
VariantClear.OLEAUT32(?), ref: 00B83C1F

Part of subcall function 00B70CDF: VariantInit.OLEAUT32(00000000), ref: 00B70D1F
Part of subcall function 00B70CDF: VariantCopy.OLEAUT32(?,?), ref: 00B70D28
Part of subcall function 00B70CDF: VariantClear.OLEAUT32(?), ref: 00B70D34

Strings

Incorrect Parameter format, xrefs: 00B839A6, 00B83BA1
AUTOIT.ERROR, xrefs: 00B83A80, 00B83A85

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 4cc66122d9c91f91bd23785d89aa934041939146b13679b1de9ea9325e48ca42
Instruction ID: a195c3d33a31710ca0848851d78214e0c8e380bce6b17c9ee0dca87c6dce9d58
Opcode Fuzzy Hash: 4cc66122d9c91f91bd23785d89aa934041939146b13679b1de9ea9325e48ca42
Instruction Fuzzy Hash: 7E915A756083059FC704EF24C49096ABBE4FF89B14F1488ADF89A97361DB31EE45CB92

Function 00B84BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00B6000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?,?,00B6035E), ref: 00B6002B
Part of subcall function 00B6000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?), ref: 00B60046
Part of subcall function 00B6000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?), ref: 00B60054
Part of subcall function 00B6000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?), ref: 00B60064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00B84C51
_wcslen.LIBCMT ref: 00B84D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00B84DCF
CoTaskMemFree.OLE32(?), ref: 00B84DDA

Strings

NULL Pointer assignment, xrefs: 00B84E23, 00B84E52

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 25451e87bc288dbe55793a6108064cc26374044520849b55b5fb35f9b2cfa5ce
Instruction ID: c6e8428da3fecb95a3e1415e7246903c053b83f267225c11782ac45ef41bc54c
Opcode Fuzzy Hash: 25451e87bc288dbe55793a6108064cc26374044520849b55b5fb35f9b2cfa5ce
Instruction Fuzzy Hash: DD911871D00219AFDF14EFA4D891AEEBBF8FF08310F1085A9E515A7291DB349A44CF60

Function 00B920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B92183
GetMenuItemCount.USER32(00000000), ref: 00B921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B921DD
_wcslen.LIBCMT ref: 00B92213
GetMenuItemID.USER32(?,?), ref: 00B9224D
GetSubMenu.USER32(?,?), ref: 00B9225B

Part of subcall function 00B63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B63A57
Part of subcall function 00B63A3D: GetCurrentThreadId.KERNEL32 ref: 00B63A5E
Part of subcall function 00B63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B625B3), ref: 00B63A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B922E3

Part of subcall function 00B6E97B: Sleep.KERNEL32 ref: 00B6E9F3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: abdf214dd7b306c04cd837291c9d0eefb3c5a11117a1f13776e0217578cf1f6a
Instruction ID: 54566410cdf4c2695b0785c80bbc97f762c2ee5b80006e4825d5d5ab7c2b7b2d
Opcode Fuzzy Hash: abdf214dd7b306c04cd837291c9d0eefb3c5a11117a1f13776e0217578cf1f6a
Instruction Fuzzy Hash: 4B713D75E00215AFCF14EF64C885AAEBBF5EF48310F1584A9E916EB351DB34ED418B90

Function 00B97E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01635820), ref: 00B97F37
IsWindowEnabled.USER32(01635820), ref: 00B97F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00B9801E
SendMessageW.USER32(01635820,000000B0,?,?), ref: 00B98051
IsDlgButtonChecked.USER32(?,?), ref: 00B98089
GetWindowLongW.USER32(01635820,000000EC), ref: 00B980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B980C3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 7bd4796b1323c7785180eadaebb0065eebb32a236d86a5a13a4e79d698c9c79e
Instruction ID: 130106f28e840fa6a541a9c706b1abd29e57fed6fd6974f17c9220474ec0d0fe
Opcode Fuzzy Hash: 7bd4796b1323c7785180eadaebb0065eebb32a236d86a5a13a4e79d698c9c79e
Instruction Fuzzy Hash: F5717134658284AFEF219F64C894FBABBF5EF1A300F1444EAE94567261CF31AC45DB60

Function 00B6AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B6AEF9
GetKeyboardState.USER32(?), ref: 00B6AF0E
SetKeyboardState.USER32(?), ref: 00B6AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B6AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B6AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B6AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B6B020

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 42b9fe9da02fcefe88a92e34e9a2d3469168a2c865188566bcb0895f4110e311
Instruction ID: 7cf1a4e16903500814f37fcd7a9e5bed7d59f62aa6bcb72d3845677abc978d31
Opcode Fuzzy Hash: 42b9fe9da02fcefe88a92e34e9a2d3469168a2c865188566bcb0895f4110e311
Instruction Fuzzy Hash: 1051C4A1A047D53DFB3642348C45BBA7EE9AB06304F0884C9E1D9958C3C7ADA8C4DB52

Function 00B6ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B6AD19
GetKeyboardState.USER32(?), ref: 00B6AD2E
SetKeyboardState.USER32(?), ref: 00B6AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B6ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B6ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B6AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B6AE38

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bd085e7bfe3402ba7104a5518e8a4d884b0b5dfa2cc2c7291197d404ac95b00a
Instruction ID: 6abc95e878719fee37ec9cb6a557b2312dd946e9331c6fd3e1d580382a894d81
Opcode Fuzzy Hash: bd085e7bfe3402ba7104a5518e8a4d884b0b5dfa2cc2c7291197d404ac95b00a
Instruction Fuzzy Hash: A951E6A16047D53DFF3283348C95B7ABEE8AB46300F1884D9E1D5668C3C69DEC84DB52

Function 00B3542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00B43CD6,?,?,?,?,?,?,?,?,00B35BA3,?,?,00B43CD6,?,?), ref: 00B35470
__fassign.LIBCMT ref: 00B354EB
__fassign.LIBCMT ref: 00B35506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00B43CD6,00000005,00000000,00000000), ref: 00B3552C
WriteFile.KERNEL32(?,00B43CD6,00000000,00B35BA3,00000000,?,?,?,?,?,?,?,?,?,00B35BA3,?), ref: 00B3554B
WriteFile.KERNEL32(?,?,00000001,00B35BA3,00000000,?,?,?,?,?,?,?,?,?,00B35BA3,?), ref: 00B35584

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d94c57b8aa5c322346cb2567c1d89526e09b6f0c8b93f717a7ead52fccf2cb93
Instruction ID: 950690f0b8b1afb7759f9527dcf62f6ef73802bddbcb4670094c1a0fa18e39d1
Opcode Fuzzy Hash: d94c57b8aa5c322346cb2567c1d89526e09b6f0c8b93f717a7ead52fccf2cb93
Instruction Fuzzy Hash: 4751D6709006499FDB20CFA8D885BEEBBF9EF19300F25455AF555E7291E730AA41CB60

Function 00B22D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B22D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00B22D53
_ValidateLocalCookies.LIBCMT ref: 00B22DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00B22E0C
_ValidateLocalCookies.LIBCMT ref: 00B22E61

Strings

csm, xrefs: 00B22DF6

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 762c3d6212ab54944c9a6303e5823ea199e08f473c7db350a97137274c4f76b9
Instruction ID: 6e32e41bb9e31a891bff9a952b18192daab49787a5e5b6e33c386feb228e5372
Opcode Fuzzy Hash: 762c3d6212ab54944c9a6303e5823ea199e08f473c7db350a97137274c4f76b9
Instruction Fuzzy Hash: 7A41D634E00228ABCF10DF68D845AAEBBF5FF45364F1481E5E81DAB352D7359A11CB91

Function 00B810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B8307A
Part of subcall function 00B8304E: _wcslen.LIBCMT ref: 00B8309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B81112
WSAGetLastError.WSOCK32 ref: 00B81121
WSAGetLastError.WSOCK32 ref: 00B811C9
closesocket.WSOCK32(00000000), ref: 00B811F9

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: cac76d88fa4d5114c8f37b103080df1bb11b9dd2affc7ff182716872f06909e0
Instruction ID: a2b9ca38501a60021395d89a827c9f7aecdeb02293dcc23cd9da18598414d857
Opcode Fuzzy Hash: cac76d88fa4d5114c8f37b103080df1bb11b9dd2affc7ff182716872f06909e0
Instruction Fuzzy Hash: A141F731600104AFDB10BF58C888BA9BBE9EF45754F148599F905AB2A1CB74AD42CBA1

Function 00B6CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B6CF22,?), ref: 00B6DDFD

Part of subcall function 00B6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B6CF22,?), ref: 00B6DE16

lstrcmpiW.KERNEL32(?,?), ref: 00B6CF45
MoveFileW.KERNEL32(?,?), ref: 00B6CF7F
_wcslen.LIBCMT ref: 00B6D005
_wcslen.LIBCMT ref: 00B6D01B
SHFileOperationW.SHELL32(?), ref: 00B6D061

Strings

\*.*, xrefs: 00B6CFF3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 9bed999475bee77580376dd6e65a516da947e7a701b5b2f9a758a612cae6eab7
Instruction ID: 9e2010e52448508742abfc15e7120c7aa2ea24142ecc1c69c1fae613fbe4b1da
Opcode Fuzzy Hash: 9bed999475bee77580376dd6e65a516da947e7a701b5b2f9a758a612cae6eab7
Instruction Fuzzy Hash: 0E411871D451199FDF12EFA4D981AED77F9EF08380F1000E6E549E7141EB34A688CB50

Function 00B92DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B92E1C
GetWindowLongW.USER32(?,000000F0), ref: 00B92E4F
GetWindowLongW.USER32(?,000000F0), ref: 00B92E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00B92EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00B92EE0
GetWindowLongW.USER32(?,000000F0), ref: 00B92EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B92F0B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7b6c89c70bc233ec3a90d6940af1a3def131a9e49adf4478e9875555815cd620
Instruction ID: dfcb41fcdfde3409575728cc7c74e666c6a3dd701e23dbcb8e92877494cfeb10
Opcode Fuzzy Hash: 7b6c89c70bc233ec3a90d6940af1a3def131a9e49adf4478e9875555815cd620
Instruction Fuzzy Hash: 95311035A05640AFEF21CF18DEE5FA53BE0EB8A710F1501A6F9008B2B2CB71A840DB50

Function 00B67726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B67769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B6778F
SysAllocString.OLEAUT32(00000000), ref: 00B67792
SysAllocString.OLEAUT32(?), ref: 00B677B0
SysFreeString.OLEAUT32(?), ref: 00B677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00B677DE
SysAllocString.OLEAUT32(?), ref: 00B677EC

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9265b3b71096e4930a9ff0ef1478a745ad8cf9489f5aa4da0115467f4f3a42a7
Instruction ID: f093d19e8773c4859e5c7b3f3359d26a255870c1d4a0e7ffc814187e89276ee8
Opcode Fuzzy Hash: 9265b3b71096e4930a9ff0ef1478a745ad8cf9489f5aa4da0115467f4f3a42a7
Instruction Fuzzy Hash: 3921B376608219AFDF10DFA8CD88CBB77ECEB097687148066FA15DB250DA78DC41C7A4

Function 00B677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B67842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B67868
SysAllocString.OLEAUT32(00000000), ref: 00B6786B
SysAllocString.OLEAUT32 ref: 00B6788C
SysFreeString.OLEAUT32 ref: 00B67895
StringFromGUID2.OLE32(?,?,00000028), ref: 00B678AF
SysAllocString.OLEAUT32(?), ref: 00B678BD

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b4f084348bca954ef3fb76e4f22940ad059940924fcd25b6980418741ca920e3
Instruction ID: 08c50ffdc2271e986bf6b302b3f4723c56d4c057163870d9958920e066751246
Opcode Fuzzy Hash: b4f084348bca954ef3fb76e4f22940ad059940924fcd25b6980418741ca920e3
Instruction Fuzzy Hash: 9D21AF32608204AFDB10AFB9DC8CDBA77ECEB087647108166F915CB2A1DE74DC81CB64

Function 00B704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B7052E

Strings

nul, xrefs: 00B70567

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 50e0ab71c01569faf5199821339328d34aefe27eb05ca4c6ddea49e87c4df335
Instruction ID: 462dc9a4f0b9853e032e690f30058e2fd201017c20433a5bc229694cca0cb172
Opcode Fuzzy Hash: 50e0ab71c01569faf5199821339328d34aefe27eb05ca4c6ddea49e87c4df335
Instruction Fuzzy Hash: 91215C75510305EBDB20AF29D884A9A7BF4EF64724F208A5AF8B9D72E0D7709940CF20

Function 00B705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B70601

Strings

nul, xrefs: 00B70639

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5a774baa18f66b6179d4b910ddbed05eed55ddf3068a998265fd26b3142f7cd8
Instruction ID: 21f1522be1ac3b5fc9c63db9a31919d84d2dd3f810e1cc53b0a9bee5c108644f
Opcode Fuzzy Hash: 5a774baa18f66b6179d4b910ddbed05eed55ddf3068a998265fd26b3142f7cd8
Instruction Fuzzy Hash: 2C21A175510305DBDB20AF698C54A9A77E4FF95720F208A5BF8B5E72E0DB70D960CB20

Function 00B940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B0604C
Part of subcall function 00B0600E: GetStockObject.GDI32(00000011), ref: 00B06060
Part of subcall function 00B0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B0606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B94112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B9411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B9412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B94139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B94145

Strings

Msctls_Progress32, xrefs: 00B940E3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0a7bddb7a1ce12a3af918f3db8a50786a337e5e289de1823fab0e3529d298944
Instruction ID: a0201fbb585e4463712c35d13184a0302370f927ef4421dbe55c45d4389d4e3f
Opcode Fuzzy Hash: 0a7bddb7a1ce12a3af918f3db8a50786a337e5e289de1823fab0e3529d298944
Instruction Fuzzy Hash: C311B2B2140229BEEF118F64CC85EE77F9DEF08798F004121BA18A6090CB72DC21DBA4

Function 00B3D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B3D7A3: _free.LIBCMT ref: 00B3D7CC

_free.LIBCMT ref: 00B3D82D

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B3D838
_free.LIBCMT ref: 00B3D843
_free.LIBCMT ref: 00B3D897
_free.LIBCMT ref: 00B3D8A2
_free.LIBCMT ref: 00B3D8AD
_free.LIBCMT ref: 00B3D8B8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 87228a91b2fc617b8a90bad0944f669b7e89f0bf956430d94a456c163124d167
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 27118271940B14FAD631BFF0EC47FCB7BDCAF00700F5009A5B699A6292DA75B9058760

Function 00B6DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B6DA74
LoadStringW.USER32(00000000), ref: 00B6DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B6DA91
LoadStringW.USER32(00000000), ref: 00B6DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B6DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B6DAB9

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e02d2253a78d5e05c6ec8c3977d6b4b29e8cb16cf61950964080c580fbea01a9
Instruction ID: 0356a8f758a0287f6be478f798e845a827e19d58a62c012de72f4788724d5b74
Opcode Fuzzy Hash: e02d2253a78d5e05c6ec8c3977d6b4b29e8cb16cf61950964080c580fbea01a9
Instruction Fuzzy Hash: C50112F69042187FEB51DBE49E89EE77BACE708701F404496B746E3041EA749E844F74

Function 00B7096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0162EC58,0162EC58), ref: 00B7097B
EnterCriticalSection.KERNEL32(0162EC38,00000000), ref: 00B7098D
TerminateThread.KERNEL32(?,000001F6), ref: 00B7099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00B709A9
CloseHandle.KERNEL32(?), ref: 00B709B8
InterlockedExchange.KERNEL32(0162EC58,000001F6), ref: 00B709C8
LeaveCriticalSection.KERNEL32(0162EC38), ref: 00B709CF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 02928b361160065f37036a3fdb33e37578778aa3fee202a246e3844ff7bed1fb
Instruction ID: f7d9771abc75c2b94a7422aeba5563e0793e23db51c16d328f5a93ced8e1f600
Opcode Fuzzy Hash: 02928b361160065f37036a3fdb33e37578778aa3fee202a246e3844ff7bed1fb
Instruction Fuzzy Hash: 00F01D31442912EBD7415BA4EF89AD67A25FF01702F901017F201518A0CB75A465CFA0

Function 00B81C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B81DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B81DE1
WSAGetLastError.WSOCK32 ref: 00B81DF2
htons.WSOCK32(?,?,?,?,?), ref: 00B81EDB
inet_ntoa.WSOCK32(?), ref: 00B81E8C

Part of subcall function 00B639E8: _strlen.LIBCMT ref: 00B639F2

Part of subcall function 00B83224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00B7EC0C), ref: 00B83240

_strlen.LIBCMT ref: 00B81F35

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: d9389abd9f43cb39e8599901cdf074ce2f4652fcaef234e6cdeca6a5a6aaf84d
Instruction ID: d3947aa3270cf4c719ed1480b5088298d9feddfe3af49e95454c3299b3791fd3
Opcode Fuzzy Hash: d9389abd9f43cb39e8599901cdf074ce2f4652fcaef234e6cdeca6a5a6aaf84d
Instruction Fuzzy Hash: CAB1B131204340AFC324EF28C895E6A7BE9EF84318F54899CF5565B2E2DB71ED46CB91

Function 00B05D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B05D30
GetWindowRect.USER32(?,?), ref: 00B05D71
ScreenToClient.USER32(?,?), ref: 00B05D99
GetClientRect.USER32(?,?), ref: 00B05ED7
GetWindowRect.USER32(?,?), ref: 00B05EF8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 75f29e663700da0bbf062c831226e5959cb91cd2a0d63ff7c5b488217da7565a
Instruction ID: 82abecf7c225228cf6051109c42e2bff30d193525d506033ce07aef4c3a24b58
Opcode Fuzzy Hash: 75f29e663700da0bbf062c831226e5959cb91cd2a0d63ff7c5b488217da7565a
Instruction Fuzzy Hash: E4B16A34A0064ADFDB20CFA9C4807EABBF1FF58310F14855AE8A9D7690DB34AA51DF54

Function 00B301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B300D6
__allrem.LIBCMT ref: 00B300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B3010B
__allrem.LIBCMT ref: 00B30122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B30140

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 9ff5503e830f9413901a49ebec1982c0a3a34599de1ce729a8b80691ec804afa
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: C7812672A01B16ABE724AF28DC92B6BB3F8EF41720F3445BAF555D6681E770D9008790

Function 00B361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B282D9,00B282D9,?,?,?,00B3644F,00000001,00000001,8BE85006), ref: 00B36258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B3644F,00000001,00000001,8BE85006,?,?,?), ref: 00B362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B363D8
__freea.LIBCMT ref: 00B363E5

Part of subcall function 00B33820: RtlAllocateHeap.NTDLL(00000000,?,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6,?,00B01129), ref: 00B33852

__freea.LIBCMT ref: 00B363EE
__freea.LIBCMT ref: 00B36413

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d2e0c3fb8d4f6832bdd2dd2f163b60c5dfb75e413cf18391b2ca86d429687d44
Instruction ID: 3a2fee5fb73b0e1361fbe8e2595138bd8c6cd49f9de449035b533908ed7c3560
Opcode Fuzzy Hash: d2e0c3fb8d4f6832bdd2dd2f163b60c5dfb75e413cf18391b2ca86d429687d44
Instruction Fuzzy Hash: 4E51BD72A00216BBEB258F68CC81EAF7BE9EB44750F3586A9F805D6140EB34DC40D6A4

Function 00B8BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8B6AE,?,?), ref: 00B8C9B5
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8C9F1
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA68
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B8BD25
RegCloseKey.ADVAPI32(00000000), ref: 00B8BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B8BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B8BDF3
RegCloseKey.ADVAPI32(?), ref: 00B8BDFF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 8eb428baa6a487b2f3756710676de257e3c06af1454432a3a3ede009db5434e4
Instruction ID: 8a5208f7943432aa3f2a38104884956b63d7e2beac772ef4cc6d8a3eb2d5e8a3
Opcode Fuzzy Hash: 8eb428baa6a487b2f3756710676de257e3c06af1454432a3a3ede009db5434e4
Instruction Fuzzy Hash: 3F819071208241EFD714EF24C895E2ABBE5FF84308F1489ADF5594B2A2DB31ED45CB92

Function 00B5F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00B5F7B9
SysAllocString.OLEAUT32(00000001), ref: 00B5F860
VariantCopy.OLEAUT32(00B5FA64,00000000), ref: 00B5F889
VariantClear.OLEAUT32(00B5FA64), ref: 00B5F8AD
VariantCopy.OLEAUT32(00B5FA64,00000000), ref: 00B5F8B1
VariantClear.OLEAUT32(?), ref: 00B5F8BB

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f15124b76b7a790ca840035abca39f574bdaf2008061d5a9a7932ee69f4c7cca
Instruction ID: c48ae3398cdeff712b5d5215e240df342235ba70b45998950f76a06efc2ded4c
Opcode Fuzzy Hash: f15124b76b7a790ca840035abca39f574bdaf2008061d5a9a7932ee69f4c7cca
Instruction Fuzzy Hash: A451A331600312AACF20AB65D895B39F7E8EF45312B2494E7ED05DF296DB709C84CB96

Function 00B7910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B07620: _wcslen.LIBCMT ref: 00B07625

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00B794E5
_wcslen.LIBCMT ref: 00B79506
_wcslen.LIBCMT ref: 00B7952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00B79585

Strings

X, xrefs: 00B79412

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: f1f541b95dbffbb6b378b27db47aa3b3a63e13df695ac6cfb04b131ab6561b1a
Instruction ID: f11ae35c1b187595217304aacfd1393b8d0c37c3805628630417ea4caae2732f
Opcode Fuzzy Hash: f1f541b95dbffbb6b378b27db47aa3b3a63e13df695ac6cfb04b131ab6561b1a
Instruction Fuzzy Hash: 7CE1A2315083119FD724DF24C881A6ABBE4FF95314F0489ADF8999B3A2DB31DD45CB92

Function 00B1920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

BeginPaint.USER32(?,?,?), ref: 00B19241
GetWindowRect.USER32(?,?), ref: 00B192A5
ScreenToClient.USER32(?,?), ref: 00B192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B192D3
EndPaint.USER32(?,?,?,?,?), ref: 00B19321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00B571EA

Part of subcall function 00B19339: BeginPath.GDI32(00000000), ref: 00B19357

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 2f49b95d710f58cbf15ecf07b5ca39858e1f42594dfc085ab43fce88a52fd7f2
Instruction ID: 822fd9a370bff51a7261abd58f82e7d63574e51e9774aeb22b1527a2c237db82
Opcode Fuzzy Hash: 2f49b95d710f58cbf15ecf07b5ca39858e1f42594dfc085ab43fce88a52fd7f2
Instruction Fuzzy Hash: E241C130205340AFD710DF68DCA4FBA7BF8EF45321F1406AAF964972A1DB319985DB61

Function 00B707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B7080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00B70847
EnterCriticalSection.KERNEL32(?), ref: 00B70863
LeaveCriticalSection.KERNEL32(?), ref: 00B708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00B708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B70921

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c514a14069153835a5287bddaec219f33db71818eb48d27a1c6ad477c4e03013
Instruction ID: 043308fe3983950260568ebc76b1dd2dd4df5cab34bf4f72ec974acae1af8fee
Opcode Fuzzy Hash: c514a14069153835a5287bddaec219f33db71818eb48d27a1c6ad477c4e03013
Instruction Fuzzy Hash: 6F416B71A10205EFDF14AF54DC85AAA7BB8FF04300F5480A6ED04AB297DB30DE60DBA4

Function 00B981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00B5F3AB,00000000,?,?,00000000,?,00B5682C,00000004,00000000,00000000), ref: 00B9824C
EnableWindow.USER32(?,00000000), ref: 00B98272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00B982D1
ShowWindow.USER32(?,00000004), ref: 00B982E5
EnableWindow.USER32(?,00000001), ref: 00B9830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B9832F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5ac7c5daff8eff4d8c6073c4e2634119c4eda6f9f3e3fbdce8fd2aaf906c249e
Instruction ID: 7de77e4fd7df50e9fcea72068504e133df749bea145a3070aae0477cae5527e9
Opcode Fuzzy Hash: 5ac7c5daff8eff4d8c6073c4e2634119c4eda6f9f3e3fbdce8fd2aaf906c249e
Instruction Fuzzy Hash: 9D418034602644AFDF22CF19D9A9BA47BE0FB4B714F1841BAE5084B2B2CB35A841CF50

Function 00B64C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B64C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B64CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B64CEA
_wcslen.LIBCMT ref: 00B64D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B64D10
_wcsstr.LIBVCRUNTIME ref: 00B64D1A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 5ab0fc97c65631186acb02a4d37456eefeb7ea4614247e643fbe49a17d677555
Instruction ID: 0b474e31606241da5a954e885e29b8d3c7d8ebcfe6483a2d52db63e4ea548f7a
Opcode Fuzzy Hash: 5ab0fc97c65631186acb02a4d37456eefeb7ea4614247e643fbe49a17d677555
Instruction Fuzzy Hash: A221D432604611BBEB155B39AD49E7B7FE8DF45750F1080BAF809CB192EF65DC40D6A0

Function 00B7581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B03A97,?,?,00B02E7F,?,?,?,00000000), ref: 00B03AC2

_wcslen.LIBCMT ref: 00B7587B
CoInitialize.OLE32(00000000), ref: 00B75995
CoCreateInstance.OLE32(00B9FCF8,00000000,00000001,00B9FB68,?), ref: 00B759AE
CoUninitialize.OLE32 ref: 00B759CC

Strings

.lnk, xrefs: 00B75876, 00B758C1, 00B75985

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 22a16f5fb36672663ee07fde2e5a43895353ffe4b0dc4ebcb408a3f473995c0d
Instruction ID: ea6f33b6ebf9c4066010960c63a68d8d9c4aa9990d2a6d1af4bf0c1e2691f8f9
Opcode Fuzzy Hash: 22a16f5fb36672663ee07fde2e5a43895353ffe4b0dc4ebcb408a3f473995c0d
Instruction Fuzzy Hash: B5D164716087019FC724DF24C480A6ABBE5FF89710F14899DF89A9B3A1DB71EC45CB92

Function 00B6175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B60FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B60FCA
Part of subcall function 00B60FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B60FD6
Part of subcall function 00B60FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B60FE5
Part of subcall function 00B60FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B60FEC
Part of subcall function 00B60FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B61002

GetLengthSid.ADVAPI32(?,00000000,00B61335), ref: 00B617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B617BA
HeapAlloc.KERNEL32(00000000), ref: 00B617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B617DA
GetProcessHeap.KERNEL32(00000000,00000000,00B61335), ref: 00B617EE
HeapFree.KERNEL32(00000000), ref: 00B617F5

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f9377ee3c849739b3afc5656a041f5e475512310df8464860e69da0735965d9a
Instruction ID: 1ef8073f1d48f3598d334e3b003c07ddf35035e87f77ddda28eb5125f7189f71
Opcode Fuzzy Hash: f9377ee3c849739b3afc5656a041f5e475512310df8464860e69da0735965d9a
Instruction Fuzzy Hash: D211ACB1500205EFDB10DFA8CD49BBE7BE9EB41355F184899F541A7220DB39AE40CB60

Function 00B614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00B61506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B61515
CloseHandle.KERNEL32(00000004), ref: 00B61520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B6154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B61563

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 78e8158b4af084e449c1a91e7bc71c34bf87d28f1066a72ec468dae6a3f51212
Instruction ID: a19bc881ab9c03e0f1cf55a552d41855be6aa7de893ea251b8d1a0eb6fa35049
Opcode Fuzzy Hash: 78e8158b4af084e449c1a91e7bc71c34bf87d28f1066a72ec468dae6a3f51212
Instruction Fuzzy Hash: 3011377250120DABDF11CFA8EE49FDE7BA9EF48748F084465FA05A2160C779CE60DB61

Function 00B23382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B23379,00B22FE5), ref: 00B23390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B2339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B233B7
SetLastError.KERNEL32(00000000,?,00B23379,00B22FE5), ref: 00B23409

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: cde4a9ca669247ce02ed899242f04e1dcf069d70372a12f7b4ea1f973a7a9ce6
Instruction ID: bb85e8e52096651503a69446c8f45a763dbceb26266bcca4df774170bf472b7b
Opcode Fuzzy Hash: cde4a9ca669247ce02ed899242f04e1dcf069d70372a12f7b4ea1f973a7a9ce6
Instruction Fuzzy Hash: 1701D83260D331BEAA163BB47C859562ED8EB19F7672003A9F41C962F0EF194E035558

Function 00B32D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B35686,00B43CD6,?,00000000,?,00B35B6A,?,?,?,?,?,00B2E6D1,?,00BC8A48), ref: 00B32D78
_free.LIBCMT ref: 00B32DAB
_free.LIBCMT ref: 00B32DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00B2E6D1,?,00BC8A48,00000010,00B04F4A,?,?,00000000,00B43CD6), ref: 00B32DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00B2E6D1,?,00BC8A48,00000010,00B04F4A,?,?,00000000,00B43CD6), ref: 00B32DEC
_abort.LIBCMT ref: 00B32DF2

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 93ab45fa840af5cefb0e1120416c47c1a4ed7508a0c47f12a79a0f3d1acafe02
Instruction ID: a6aedefa89238042d404e843e8200f4fb25c0eae3cb945409e87c5c168ed21de
Opcode Fuzzy Hash: 93ab45fa840af5cefb0e1120416c47c1a4ed7508a0c47f12a79a0f3d1acafe02
Instruction Fuzzy Hash: 0EF0C8355056102BC6123739BC06F1B39E9EFC17A1F3405F9F824932E2EF3488025160

Function 00B98A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B19693
Part of subcall function 00B19639: SelectObject.GDI32(?,00000000), ref: 00B196A2
Part of subcall function 00B19639: BeginPath.GDI32(?), ref: 00B196B9
Part of subcall function 00B19639: SelectObject.GDI32(?,00000000), ref: 00B196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00B98A4E
LineTo.GDI32(?,00000003,00000000), ref: 00B98A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00B98A70
LineTo.GDI32(?,00000000,00000003), ref: 00B98A80
EndPath.GDI32(?), ref: 00B98A90
StrokePath.GDI32(?), ref: 00B98AA0

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: eddc6e7375823d376f70d5398ec1194617024d72596dd5cf8127954315e8bbbc
Instruction ID: 597d59e0a5749bd08ab72513cdf4cf13ad4a0fd8854f4cd47a591d91df80fa7b
Opcode Fuzzy Hash: eddc6e7375823d376f70d5398ec1194617024d72596dd5cf8127954315e8bbbc
Instruction Fuzzy Hash: D7111B7600010CFFDF129F94DC88EAA7FADEB08350F008062FA199A1A1DB719E55DFA0

Function 00B651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B65218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B65229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B65230
ReleaseDC.USER32(00000000,00000000), ref: 00B65238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B6524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00B65261

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e0be141f7a557a32f0fc1e88e1dbb35459ffb3bc42fbc71b5bf661350786e716
Instruction ID: da0307d98fb10d321b1ea45f7cf97e8874949e2a9860cc93a0fd102e9be1a830
Opcode Fuzzy Hash: e0be141f7a557a32f0fc1e88e1dbb35459ffb3bc42fbc71b5bf661350786e716
Instruction Fuzzy Hash: 96014F75A01719BBEB109BA59D49A5EBFB8EB48751F0440A6FA04A7281DA709810CBA0

Function 00B01BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B01BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B01BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B01C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B01C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B01C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B01C22

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fb9672ac690b713022e47a833f48db5492c816a96fea7fd7f060c9a3e415ea52
Instruction ID: 5f972234dd74317e75c91de93657d887aba40f6c0d68af4232a12750bd82de17
Opcode Fuzzy Hash: fb9672ac690b713022e47a833f48db5492c816a96fea7fd7f060c9a3e415ea52
Instruction Fuzzy Hash: 110167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00B6EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B6EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B6EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00B6EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B6EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B6EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B6EB75

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 155e4b318e4a0150aa8f846b34d469e3b2b4c7cff5db2d2780df56bf4fb243c2
Instruction ID: af5a962a9934ed788542f35fdde76eff9e930fb8f8739a098c50c27c4c80f724
Opcode Fuzzy Hash: 155e4b318e4a0150aa8f846b34d469e3b2b4c7cff5db2d2780df56bf4fb243c2
Instruction Fuzzy Hash: 5AF03072140158BBE72157529E0EEEF3E7CEFCAB11F00015AF611E3091DBA05A01C6B9

Function 00B57439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00B57452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00B57469
GetWindowDC.USER32(?), ref: 00B57475
GetPixel.GDI32(00000000,?,?), ref: 00B57484
ReleaseDC.USER32(?,00000000), ref: 00B57496
GetSysColor.USER32(00000005), ref: 00B574B0

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: eac976cccf5fa6bc937b5d3509a629316afd6c88b43a4259917595c1f3eeca98
Instruction ID: 9e5458dc1ee74b7134744fc696036bcb8572f222bcaf68d1c5d3a59c2d28ec92
Opcode Fuzzy Hash: eac976cccf5fa6bc937b5d3509a629316afd6c88b43a4259917595c1f3eeca98
Instruction Fuzzy Hash: 5D012831500215EFDB515FA4ED09BAA7FB5FB04322F5141A5FA16A31A1CF311E51AB50

Function 00B61874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B6187F
UnloadUserProfile.USERENV(?,?), ref: 00B6188B
CloseHandle.KERNEL32(?), ref: 00B61894
CloseHandle.KERNEL32(?), ref: 00B6189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B618A5
HeapFree.KERNEL32(00000000), ref: 00B618AC

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: da94bb7d1b5166f598eec1be58cf14b16e49cf6c0e3eef49396af37e037f223b
Instruction ID: 9b9143c76552f4c1b7a3df2057bff32cf8f0591ac9382673ae47d1a9c15f2aef
Opcode Fuzzy Hash: da94bb7d1b5166f598eec1be58cf14b16e49cf6c0e3eef49396af37e037f223b
Instruction Fuzzy Hash: D8E0E536004101BBDB015FA1EF0C90ABF39FF49B22B108222F22592070CF329420DF68

Function 00B6C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B07620: _wcslen.LIBCMT ref: 00B07625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B6C6EE
_wcslen.LIBCMT ref: 00B6C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B6C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B6C7CA

Strings

0, xrefs: 00B6C6AF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 30268475e2e0c28a9b9739974c0afce37e83136d3942cf4161477ff90cf32d5d
Instruction ID: 3c3497f73f7d084eb7a61ed0f0ff8350dd22a130b9e82d1760e327217c30c572
Opcode Fuzzy Hash: 30268475e2e0c28a9b9739974c0afce37e83136d3942cf4161477ff90cf32d5d
Instruction Fuzzy Hash: 1651BD716053019BD7109F28C885A7BBFE8EB49314F040AAAF9E5D31A1DB68DD44CB56

Function 00B8AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00B8AEA3

Part of subcall function 00B07620: _wcslen.LIBCMT ref: 00B07625

GetProcessId.KERNEL32(00000000), ref: 00B8AF38
CloseHandle.KERNEL32(00000000), ref: 00B8AF67

Strings

@, xrefs: 00B8AE72
<, xrefs: 00B8AE6B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ce0475b56221ed89ec6e4d1988ea785f400201119627afeb73e88d6b9600fba1
Instruction ID: 30e8bc15c1c9f8653274487adb88a7a48d5c6d74c596066677c3b66374e8a52a
Opcode Fuzzy Hash: ce0475b56221ed89ec6e4d1988ea785f400201119627afeb73e88d6b9600fba1
Instruction Fuzzy Hash: 71714871A00615DFDB14EF54C494A9EBBF0FF08314F14889AE81AAB3A2CB75ED45CB91

Function 00B6719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B67206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B6723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B6724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B672CF

Strings

DllGetClassObject, xrefs: 00B67242

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 8c0fad6329bd8a6180357030d12ba763480984ff9d23ddb8ac04c5f8f9750cd9
Instruction ID: c93fc6f5291b20dceb0d8e1469a0c9be8f984c0b771755f9aea83065e9198e18
Opcode Fuzzy Hash: 8c0fad6329bd8a6180357030d12ba763480984ff9d23ddb8ac04c5f8f9750cd9
Instruction Fuzzy Hash: 3C416D71A44204AFDB15CF64C894A9A7BE9EF45318F1480EDFD099F20ADBB8D944CBA0

Function 00B93D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B93E35
IsMenu.USER32(?), ref: 00B93E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B93E92
DrawMenuBar.USER32 ref: 00B93EA5

Strings

0, xrefs: 00B93D89

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: fe2be58298467c169f836f8b75ca957391c4ebaf8e6c35076d13aa32df97c419
Instruction ID: 77936395cf0bc7ccf70784aa411253e45d362227905f6c987e1b488eb19650df
Opcode Fuzzy Hash: fe2be58298467c169f836f8b75ca957391c4ebaf8e6c35076d13aa32df97c419
Instruction Fuzzy Hash: E5416575A01609EFDF10DF64D884AAABBF9FF49750F0540AAE905AB250D730AE41CF60

Function 00B61DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B61E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B61E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B61EA9

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

Strings

ComboBox, xrefs: 00B61DF0
ListBox, xrefs: 00B61E25

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: adef84364c1e39a2d5125baff73b492d1c753286baa36084c000eac4521ba713
Instruction ID: c77b8ea13ee42f7b782b78b32c7c46eb3aea335b9e6822797e29ed1834311884
Opcode Fuzzy Hash: adef84364c1e39a2d5125baff73b492d1c753286baa36084c000eac4521ba713
Instruction Fuzzy Hash: C621F772A00104BEDB14AB68DC86DFFBBF8DF45350F184599F825A71E1DB398D499620

Function 00B92F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B92F8D
LoadLibraryW.KERNEL32(?), ref: 00B92F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B92FA9
DestroyWindow.USER32(?), ref: 00B92FB1

Strings

SysAnimate32, xrefs: 00B92F68

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ad226ce04589104894829df91790c256a52d643e38dc8f2d26fb2e1b88a6b478
Instruction ID: 95895d9f248fa12e36f0c2dd6c2a53e5df10a80ea99331ef3a45839f4887a8f9
Opcode Fuzzy Hash: ad226ce04589104894829df91790c256a52d643e38dc8f2d26fb2e1b88a6b478
Instruction Fuzzy Hash: 85218872A00205BBEF108F64DC80FBB77F9EB59364F104669F954931A0D771DC519760

Function 00B24D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B24D1E,00B328E9,?,00B24CBE,00B328E9,00BC88B8,0000000C,00B24E15,00B328E9,00000002), ref: 00B24D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B24DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00B24D1E,00B328E9,?,00B24CBE,00B328E9,00BC88B8,0000000C,00B24E15,00B328E9,00000002,00000000), ref: 00B24DC3

Strings

mscoree.dll, xrefs: 00B24D86
CorExitProcess, xrefs: 00B24D98

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 32950355d349429109b5588a145471e2324833df4d96fefd9cd32a4ff7cf5ccc
Instruction ID: 1c01dcf794c6425ae24f23be7de41e14802037b221dd8789f9abd89109e055d8
Opcode Fuzzy Hash: 32950355d349429109b5588a145471e2324833df4d96fefd9cd32a4ff7cf5ccc
Instruction Fuzzy Hash: 3CF04F34A54228BBDB119F90ED49BAEBFF5EF44751F4001A5F809A3661CF705D40CB94

Function 00B04E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B04EDD,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B04EAE
FreeLibrary.KERNEL32(00000000,?,?,00B04EDD,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04EC0

Strings

kernel32.dll, xrefs: 00B04E94
Wow64DisableWow64FsRedirection, xrefs: 00B04EA8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e0d4fbb3031567d6d93a4d924f4635eca8120fb157cef8eac51fa289f8fcf017
Instruction ID: f4a0e7d5ae4bab7ddccf40ee640d601fda8aa4959172535510563e4c0d4d4bd7
Opcode Fuzzy Hash: e0d4fbb3031567d6d93a4d924f4635eca8120fb157cef8eac51fa289f8fcf017
Instruction Fuzzy Hash: 6DE08635A015325BD2211725BC18B6B6DD4EF81FA27050156FD04E3151DF64CD0240E4

Function 00B04E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B43CDE,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B04E74
FreeLibrary.KERNEL32(00000000,?,?,00B43CDE,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00B04E6E
kernel32.dll, xrefs: 00B04E5B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 452f403c73b25a3ced90c250ce9ea3ebf59e8f10861c11cd87abd7838a6ff8e0
Instruction ID: 3ab0eb2430a811ae2e8ff8083e6e08496c92d945a39d1e3dcfec8a13b7a2e7df
Opcode Fuzzy Hash: 452f403c73b25a3ced90c250ce9ea3ebf59e8f10861c11cd87abd7838a6ff8e0
Instruction Fuzzy Hash: C2D0C231502631578A221B24BC18E8B2E98EF81F1134501AABA08B31A1CF20CD0281D4

Function 00B72947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B72C05
DeleteFileW.KERNEL32(?), ref: 00B72C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B72C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B72CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B72CC0

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: f74aaf8ddfde64d269852d190594a9f9ff2c5c31ae9dc0354b773dd2e0c08b45
Instruction ID: d469959b160967c00207a9abec684638f84b065035911e090efb0823d701bc7a
Opcode Fuzzy Hash: f74aaf8ddfde64d269852d190594a9f9ff2c5c31ae9dc0354b773dd2e0c08b45
Instruction Fuzzy Hash: 5FB13C72D00129ABDF21DBA4CC85EDEBBFDEF49350F1080EAF519E6151EA309A448F61

Function 00B8A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00B8A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B8A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B8A468
CloseHandle.KERNEL32(?), ref: 00B8A63D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: e8014e1f1cf1f0c637f860171d189c2a26f99405c197bbe3c3b5e7f48c080890
Instruction ID: 20bb9534f8ec348d21f89d3cf29bf9bc96b7c22fae73982c0557ab6df826241b
Opcode Fuzzy Hash: e8014e1f1cf1f0c637f860171d189c2a26f99405c197bbe3c3b5e7f48c080890
Instruction Fuzzy Hash: C8A161716043019FE720EF18D886B2ABBE5AF44714F14899DF55A9B3D2DBB0EC41CB92

Function 00B3BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BA3700), ref: 00B3BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00BD121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B3BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00BD1270,000000FF,?,0000003F,00000000,?), ref: 00B3BC36
_free.LIBCMT ref: 00B3BB7F

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B3BD4B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: b512af4c1dd3953f6220416561abe07c3d08cb88346671e72dea1036b8f2714e
Instruction ID: 7c57f415d5cff303a654219d503748932f40599562f0e3004b56242813e8a326
Opcode Fuzzy Hash: b512af4c1dd3953f6220416561abe07c3d08cb88346671e72dea1036b8f2714e
Instruction Fuzzy Hash: 6D51E771900219AFCB24EF699C81D6AB7FCEF44310F6006EBE654D7295EF305E408B50

Function 00B6E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B6CF22,?), ref: 00B6DDFD

Part of subcall function 00B6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B6CF22,?), ref: 00B6DE16

Part of subcall function 00B6E199: GetFileAttributesW.KERNEL32(?,00B6CF95), ref: 00B6E19A

lstrcmpiW.KERNEL32(?,?), ref: 00B6E473
MoveFileW.KERNEL32(?,?), ref: 00B6E4AC
_wcslen.LIBCMT ref: 00B6E5EB
_wcslen.LIBCMT ref: 00B6E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00B6E650

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d087b40e11296388d4d17bbdb7ed255c7fd7d9bdd0d422ccacdf05823f35e753
Instruction ID: 5694618d59bf7686b523a94965e2abca36e4936edd6431c2669b289b4bf0e5bf
Opcode Fuzzy Hash: d087b40e11296388d4d17bbdb7ed255c7fd7d9bdd0d422ccacdf05823f35e753
Instruction Fuzzy Hash: 795164B25083859BC724DBA0D8819DF77DCEF85340F00495EF699D3191EF78E5888B5A

Function 00B8B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8B6AE,?,?), ref: 00B8C9B5
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8C9F1
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA68
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B8BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B8BB63
RegCloseKey.ADVAPI32(?,?), ref: 00B8BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00B8BBB3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 51d2fca7e81283caecc04b6cc7f76586e0acd6c9c9cc9566c33ec3256a9a4e59
Instruction ID: 623ca05f5edd39b3a9f60b8f19d80714f3a4929a21fe5a0dd61150177331901d
Opcode Fuzzy Hash: 51d2fca7e81283caecc04b6cc7f76586e0acd6c9c9cc9566c33ec3256a9a4e59
Instruction Fuzzy Hash: F5617371208241EFD714EF24C491E2ABBE5FF84348F54899DF4994B2A2DB31ED45CB92

Function 00B68BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B68BCD
VariantClear.OLEAUT32 ref: 00B68C3E
VariantClear.OLEAUT32 ref: 00B68C9D
VariantClear.OLEAUT32(?), ref: 00B68D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B68D3B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: aec72abd2c4e742cea207d1adb1181d496165a49b8fee87ca49f5cc4a904de78
Instruction ID: d82922ee6dfca473ca756aa1749f286338933db1cce883a0f2b6846a6d4af427
Opcode Fuzzy Hash: aec72abd2c4e742cea207d1adb1181d496165a49b8fee87ca49f5cc4a904de78
Instruction Fuzzy Hash: E8516CB5A00219EFCB14CF58D894AAABBF5FF89310B158569F909DB350E734E911CFA0

Function 00B78AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B78BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00B78BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B78C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B78C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B78C5F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: cbfaf79cefba68f0fa5932873b4f9dd6ebd077f0bf615839cea74b817a0a9f80
Instruction ID: 2f11a793d744326acb63095ca7da808f5381b86a64d745076844d91d8c3b871a
Opcode Fuzzy Hash: cbfaf79cefba68f0fa5932873b4f9dd6ebd077f0bf615839cea74b817a0a9f80
Instruction Fuzzy Hash: D9515C35A002199FCB01DF64C885AADBBF5FF48314F08C499E849AB3A2CB31ED41CB90

Function 00B88EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00B88F40
GetProcAddress.KERNEL32(00000000,?), ref: 00B88FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B88FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00B89032
FreeLibrary.KERNEL32(00000000), ref: 00B89052

Part of subcall function 00B1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00B71043,?,7644E610), ref: 00B1F6E6
Part of subcall function 00B1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00B5FA64,00000000,00000000,?,?,00B71043,?,7644E610,?,00B5FA64), ref: 00B1F70D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 43fa8d88cf155101b420710b10c0bb15bb17e677490bcde69cb2903f18ebfdc6
Instruction ID: e197ae6ce64589cb7d1820601e8f1438f4f77f2eabff5287c6e31fb6b7d7d131
Opcode Fuzzy Hash: 43fa8d88cf155101b420710b10c0bb15bb17e677490bcde69cb2903f18ebfdc6
Instruction Fuzzy Hash: A9511635604205DFCB11EF58C4948A9BBF1FF49314B4980E9E90AAB3B2DB31ED85CB91

Function 00B96B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00B96C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00B96C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00B96C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00B7AB79,00000000,00000000), ref: 00B96C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00B96CC7

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: a138c21b753f5be6618b341444b1cc133faf5daccfe8192974dae9a3200e6a77
Instruction ID: 969457b9625e866ffdd63419ac9a050f19ac6088931410c017418475da369a8c
Opcode Fuzzy Hash: a138c21b753f5be6618b341444b1cc133faf5daccfe8192974dae9a3200e6a77
Instruction Fuzzy Hash: 7741BE35A04104AFDF24CF28CD99FA97FF4EB0A350F1502B9F899A72A0D771AD41CA50

Function 00B32051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B320C3
_free.LIBCMT ref: 00B320E3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 20bbafad39a086a4bb4be073285415b5e82ccaf7e27c1ebcc02e95c25cce6008
Instruction ID: 89b6dcd077102e185a79daed5a71a7b6c5a2867ae663191f7777db4b87c2f4cb
Opcode Fuzzy Hash: 20bbafad39a086a4bb4be073285415b5e82ccaf7e27c1ebcc02e95c25cce6008
Instruction Fuzzy Hash: F941C332A00200AFCB24DF78C981A5EB7F5EF89714F2545E9E515EB351DB31AD01CB80

Function 00B1912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B19141
ScreenToClient.USER32(00000000,?), ref: 00B1915E
GetAsyncKeyState.USER32(00000001), ref: 00B19183
GetAsyncKeyState.USER32(00000002), ref: 00B1919D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 26719a7e8025004708cee8ff102d138f1efdf84257f840c39f65f22473e60db6
Instruction ID: bc1da055ae24af3df23a4c9b79332a9fe2334e4a27a03cade88a8bc6d6df7b0e
Opcode Fuzzy Hash: 26719a7e8025004708cee8ff102d138f1efdf84257f840c39f65f22473e60db6
Instruction Fuzzy Hash: 54416071A0855ABBDF159F64D858BEEB7B4FB05320F2042A5E825B32D0CB306D94CF91

Function 00B73874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00B73922
TranslateMessage.USER32(?), ref: 00B7394B
DispatchMessageW.USER32(?), ref: 00B73955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B73966

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0d7f83e1b7f8e48f848b650ccd7a797f96825fdb8ccb1f8084aab2a6128565a0
Instruction ID: ef3a2752ef3602e8a240051d4952f0f8e93d31d614ea55a876cc4c98a5245408
Opcode Fuzzy Hash: 0d7f83e1b7f8e48f848b650ccd7a797f96825fdb8ccb1f8084aab2a6128565a0
Instruction Fuzzy Hash: EC311970505341BEEB34CB34D858BB67BE4EB15700F0485AED57B831D0EBB59A84EB21

Function 00B7CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00B7C21E,00000000), ref: 00B7CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00B7CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00B7C21E,00000000), ref: 00B7CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B7C21E,00000000), ref: 00B7CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B7C21E,00000000), ref: 00B7CFF2

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: c55fb2ebb3b543d030a4e408ab72efff87677a8c8ee754346081417b5bb9366a
Instruction ID: 195efefb96c8ce59bdf10b467079cd9c32c02afc359a699f252e383797c98305
Opcode Fuzzy Hash: c55fb2ebb3b543d030a4e408ab72efff87677a8c8ee754346081417b5bb9366a
Instruction Fuzzy Hash: 05318C71604205EFDB20DFA5D984AABBFF9EF14350B1084AEF52AD7141DB30AE48DB60

Function 00B61901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B61915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00B619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00B619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00B619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00B619E2

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a78182ce9a4c721ea41361a34eb43b0533212d6a0b33eb72347f011a37dfe3fb
Instruction ID: 1f39d82ae47eebcdb55e84744d2abe9c268479f4cb556030312a26740a5296e1
Opcode Fuzzy Hash: a78182ce9a4c721ea41361a34eb43b0533212d6a0b33eb72347f011a37dfe3fb
Instruction Fuzzy Hash: 8231C072A00219EFCB00CFACCD99ADE3BB5EB44315F148669FA25A72D1C7749945CB90

Function 00B95706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B95745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B9579D
_wcslen.LIBCMT ref: 00B957AF
_wcslen.LIBCMT ref: 00B957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B95816

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 63153c9cb9c8258f74dfa9be5a334052b6978f031db3413a5eaade3fd7a8d869
Instruction ID: d9bb7ef7f3bc28716e38ba6f1fe338dae1e754c7a17e70a94e4bd00993c24c24
Opcode Fuzzy Hash: 63153c9cb9c8258f74dfa9be5a334052b6978f031db3413a5eaade3fd7a8d869
Instruction Fuzzy Hash: AE21A7719446189ADF318FA4DC84AED7BF8FF04720F1081A6E929DB2C5D7709A85CF50

Function 00B80930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B80951
GetForegroundWindow.USER32 ref: 00B80968
GetDC.USER32(00000000), ref: 00B809A4
GetPixel.GDI32(00000000,?,00000003), ref: 00B809B0
ReleaseDC.USER32(00000000,00000003), ref: 00B809E8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6485b117a719e649b6149c83da65a834568f42ec82ad14930d17168d79716052
Instruction ID: 7b7ab910e80564c320e7709e201a657c31d3d55700cd9fbd226a7a993d57d057
Opcode Fuzzy Hash: 6485b117a719e649b6149c83da65a834568f42ec82ad14930d17168d79716052
Instruction Fuzzy Hash: 73218135600214AFD714EF69C984EAEBBF5EF48740F0484ADE85A97362DB30AC44CB50

Function 00B3CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B3CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B3CDE9

Part of subcall function 00B33820: RtlAllocateHeap.NTDLL(00000000,?,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6,?,00B01129), ref: 00B33852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B3CE0F
_free.LIBCMT ref: 00B3CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B3CE31

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 53a768502e6afe4bb71f79f0d027f0cdffcaa644ffb682f6350a70cd16f80bdc
Instruction ID: 334211fda0c45b3d1601c49914bd13fa3c19fbf4e74c3325095487d20845ccfa
Opcode Fuzzy Hash: 53a768502e6afe4bb71f79f0d027f0cdffcaa644ffb682f6350a70cd16f80bdc
Instruction Fuzzy Hash: 400188726012357F23212AF66C88D7B7DEDDEC6BA173501AAF905E7201DE619D0193B4

Function 00B19639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B19693
SelectObject.GDI32(?,00000000), ref: 00B196A2
BeginPath.GDI32(?), ref: 00B196B9
SelectObject.GDI32(?,00000000), ref: 00B196E2

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c7941889aead8d02274facac6c2abedab63897b70cd4fdf10da66a5ca1692a8a
Instruction ID: 8064d8334694f9e4619aacbcadb6bb57b202186da6f83f6cede3355bbb679b21
Opcode Fuzzy Hash: c7941889aead8d02274facac6c2abedab63897b70cd4fdf10da66a5ca1692a8a
Instruction Fuzzy Hash: B621AF30902345EBDB11DF68ED347E9BBA8FB01361F900657F810A30B1EB785892CBA4

Function 00B65711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B65726
_memcmp.LIBVCRUNTIME ref: 00B65744
_memcmp.LIBVCRUNTIME ref: 00B65757
_memcmp.LIBVCRUNTIME ref: 00B6576F
_memcmp.LIBVCRUNTIME ref: 00B65787

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 86484f3ac66d50d6f58fbd19d6ffd67edf29ebfaf2fb9eaa8453464da0644750
Instruction ID: 47cb1c041a0fff6f94d0060a66bb61943dbd7b8cd0e032c9395d7a0f3be33f2e
Opcode Fuzzy Hash: 86484f3ac66d50d6f58fbd19d6ffd67edf29ebfaf2fb9eaa8453464da0644750
Instruction Fuzzy Hash: C901B57174161ABBD6289914AD82FBB73DDDB313B4F0044B0FD08AA641F765ED3082E4

Function 00B1990C Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B198CC
SetTextColor.GDI32(?,?), ref: 00B198D6
SetBkMode.GDI32(?,00000001), ref: 00B198E9
GetStockObject.GDI32(00000005), ref: 00B198F1
GetWindowLongW.USER32(?,000000EB), ref: 00B19952

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 57dceeaf3196fdae855cfd66e586ee230472525c19ed470a2ec5896d6d9b355a
Instruction ID: 164571f58c0e07367ec3addc1daf1bb3e9870aca516c91566b3e5358442ea71d
Opcode Fuzzy Hash: 57dceeaf3196fdae855cfd66e586ee230472525c19ed470a2ec5896d6d9b355a
Instruction Fuzzy Hash: 0A1127321462905FCB128F64EC78EE93FA4EB133A1B88409EE682CB1B1DB214881CB51

Function 00B32DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B2F2DE,00B33863,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6), ref: 00B32DFD
_free.LIBCMT ref: 00B32E32
_free.LIBCMT ref: 00B32E59
SetLastError.KERNEL32(00000000,00B01129), ref: 00B32E66
SetLastError.KERNEL32(00000000,00B01129), ref: 00B32E6F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: fe41cb84cb5d1706a57026657843c517f0d5440d772b443db29956d681462b87
Instruction ID: a83a0959d392e184bfeb8eb0f859f7e00f0fdbd80275f35663b293fe96bab97a
Opcode Fuzzy Hash: fe41cb84cb5d1706a57026657843c517f0d5440d772b443db29956d681462b87
Instruction Fuzzy Hash: 550128362456207BC6122775BD87E2B3AEDEBD57B1F3501E9F825A32E2EF708C015020

Function 00B6000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?,?,00B6035E), ref: 00B6002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?), ref: 00B60046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?), ref: 00B60054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?), ref: 00B60064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?), ref: 00B60070

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2913a8cc601da22d45ded0fccd3b2b3e7640621e5c1233e3c4da625db49454e0
Instruction ID: d9d06f36078e3fee15963d0fdb70ade6ec62b48cde7a4639d236857860331b4b
Opcode Fuzzy Hash: 2913a8cc601da22d45ded0fccd3b2b3e7640621e5c1233e3c4da625db49454e0
Instruction Fuzzy Hash: 79018F72620208BFDB115F6ADD44BAB7EEDEB44791F144165F905D3210DB79DD408BA0

Function 00B6E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00B6E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00B6E9A5
Sleep.KERNEL32(00000000), ref: 00B6E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00B6E9B7
Sleep.KERNEL32 ref: 00B6E9F3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 00e106e358039a0b321e9e5cb675c520d2a356065148b0ebbfb4a398b6737deb
Instruction ID: d1437ffa828f1fa895450b0957cc1726840bf0517572b41404e554fc2e04cd0a
Opcode Fuzzy Hash: 00e106e358039a0b321e9e5cb675c520d2a356065148b0ebbfb4a398b6737deb
Instruction Fuzzy Hash: F5015735C01629DBCF00AFE4D959AEDBBB8FF08700F400586E512B3290CB389650CBA5

Function 00B610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B61114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B6112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B6114D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: afe97fa1e13e85a3f0eacec5a2afad945a491575e3db15e96a65caebdc1e7168
Instruction ID: b436a228c52e911447d0c365246d4f6c79af39e7c0b2c903c28bd7793970aa6a
Opcode Fuzzy Hash: afe97fa1e13e85a3f0eacec5a2afad945a491575e3db15e96a65caebdc1e7168
Instruction Fuzzy Hash: B6018175100205BFDB114FA8DD49E6A3FAEEF86360B644456FA41D3360DF35DC008A60

Function 00B60FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B60FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B60FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B60FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B60FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B61002

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 248b2128faf5a005f81379a00be1763d8c56349667d3eb9aa2c958626032aa65
Instruction ID: 4d59191837dbc85a51ec221d4121935bbcc0a513e16f4a7cf0c55e47fc64d6c2
Opcode Fuzzy Hash: 248b2128faf5a005f81379a00be1763d8c56349667d3eb9aa2c958626032aa65
Instruction Fuzzy Hash: 3AF04935200311ABDB214FA89E49F5A3FADEF89762F644856FA45D7261CE74DC408A70

Function 00B61014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B6102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B61036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B61045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B6104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B61062

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: afdc00eb32bdeabb610d6a00fa9de064aa53d43a20743c3bbf3a102e7e768761
Instruction ID: a44b2dffbff253dc024d23d3403597c3baeba1387b582fd94b20f4857943c787
Opcode Fuzzy Hash: afdc00eb32bdeabb610d6a00fa9de064aa53d43a20743c3bbf3a102e7e768761
Instruction Fuzzy Hash: 46F06D35200311EBDB215FA8EE49F5A3FADEF89761F240826FA45D7260CE74D8408AB0

Function 00B7030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B70324
CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B70331
CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B7033E
CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B7034B
CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B70358
CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B70365

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 59c39a9beff881673ac16f78ac1b7cf5b98b520af1fd47cd20316809862536af
Instruction ID: 59e934748ed2b5038b0b78af9d4a0e169a6d6461a7ae76c24cc39e02f1ab22ae
Opcode Fuzzy Hash: 59c39a9beff881673ac16f78ac1b7cf5b98b520af1fd47cd20316809862536af
Instruction Fuzzy Hash: 07019C72810B15DFCB30AF66D880812FBF9FF642153168A7FD1AA52931C7B1A958CE84

Function 00B3D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3D752

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B3D764
_free.LIBCMT ref: 00B3D776
_free.LIBCMT ref: 00B3D788
_free.LIBCMT ref: 00B3D79A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5f1c61431ff755544c5ac90195dd316a7736c529c64949fc9aa4ff9fb0ba5911
Instruction ID: da4510302fef9781029e7212badcf2996a011a91e52a5064a2d14e606fc9f7b4
Opcode Fuzzy Hash: 5f1c61431ff755544c5ac90195dd316a7736c529c64949fc9aa4ff9fb0ba5911
Instruction Fuzzy Hash: 9DF01D72544218EBC621EB68F9C6D2A7BDDFB58710FB40995F048E7602CB30FC808A64

Function 00B65C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B65C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B65C6F
MessageBeep.USER32(00000000), ref: 00B65C87
KillTimer.USER32(?,0000040A), ref: 00B65CA3
EndDialog.USER32(?,00000001), ref: 00B65CBD

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ceca2f149b7bb1d3e0ae861845020c04b38063c2485f7498ced9e89c308e0f23
Instruction ID: fd4303629500b39fc444cd16ded81abd51343a741a603caf6f8ccccbcf85a38f
Opcode Fuzzy Hash: ceca2f149b7bb1d3e0ae861845020c04b38063c2485f7498ced9e89c308e0f23
Instruction Fuzzy Hash: 94013670500B04AFEB315B50DE8EFA67FF8FB04B05F04159AA583A24E1DFF4A9948B90

Function 00B322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B322BE

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B322D0
_free.LIBCMT ref: 00B322E3
_free.LIBCMT ref: 00B322F4
_free.LIBCMT ref: 00B32305

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 21b5d69f5d690a87d024df23980ef27b7d7fa7a0da97d7f39021b42e89e2cb52
Instruction ID: e1ee3054f971aef0b1db17f4ae7cd4ace5fcb9ba725cd36e1c08e31ac2382ac1
Opcode Fuzzy Hash: 21b5d69f5d690a87d024df23980ef27b7d7fa7a0da97d7f39021b42e89e2cb52
Instruction Fuzzy Hash: 5CF03AB58121309B8612BF58BC11A1DBFE4F728760F210A9BF414D33B1EF310812ABA4

Function 00B195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B195D4
StrokeAndFillPath.GDI32(?,?,00B571F7,00000000,?,?,?), ref: 00B195F0
SelectObject.GDI32(?,00000000), ref: 00B19603
DeleteObject.GDI32 ref: 00B19616
StrokePath.GDI32(?), ref: 00B19631

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 03262f385afcad672c1cb301d3512ee4f9cdd5f51da0eb0bf235c817dc68ebec
Instruction ID: 39d8c3067f74dc70bdeb33da8d407895eedac8e515d7be91b80c7e6860b79154
Opcode Fuzzy Hash: 03262f385afcad672c1cb301d3512ee4f9cdd5f51da0eb0bf235c817dc68ebec
Instruction Fuzzy Hash: 22F0F630006244EBDB125F69EE387A47FA1EB00322F448256E425660F1DF388992DF34

Function 00B30F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B310F9
__freea.LIBCMT ref: 00B31117

Part of subcall function 00B31537: _free.LIBCMT ref: 00B3154F

Strings

am/pm, xrefs: 00B3117A
a/p, xrefs: 00B311DE

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a658ad56843bea1388a4813e294753968db80ac93b5c2860f0b7fb146287276f
Instruction ID: cf9480f8558b4bb2ffb87eedb1cff964619330b7a136c85f18804aa464359cc5
Opcode Fuzzy Hash: a658ad56843bea1388a4813e294753968db80ac93b5c2860f0b7fb146287276f
Instruction Fuzzy Hash: E0D10235900206EACB289F6CC895BFEB7F8EF05700F3849D9E901AB650D7359D80CBA5

Function 00B87B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00B20242: EnterCriticalSection.KERNEL32(00BD070C,00BD1884,?,?,00B1198B,00BD2518,?,?,?,00B012F9,00000000), ref: 00B2024D
Part of subcall function 00B20242: LeaveCriticalSection.KERNEL32(00BD070C,?,00B1198B,00BD2518,?,?,?,00B012F9,00000000), ref: 00B2028A

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B200A3: __onexit.LIBCMT ref: 00B200A9

__Init_thread_footer.LIBCMT ref: 00B87BFB

Part of subcall function 00B201F8: EnterCriticalSection.KERNEL32(00BD070C,?,?,00B18747,00BD2514), ref: 00B20202
Part of subcall function 00B201F8: LeaveCriticalSection.KERNEL32(00BD070C,?,00B18747,00BD2514), ref: 00B20235

Strings

G, xrefs: 00B87C7F
5, xrefs: 00B87C78
Variable must be of type 'Object'., xrefs: 00B87C3A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: f8e80aaca90dc8fab2ac28e80308d4b6655ae0fe916867e70a28a62455b9b825
Instruction ID: 388cfc4d1e969d94bd7cf3f11c6ce3eaba237958980aa9721c7904980f1851c4
Opcode Fuzzy Hash: f8e80aaca90dc8fab2ac28e80308d4b6655ae0fe916867e70a28a62455b9b825
Instruction Fuzzy Hash: CC914974A44209EFCB14EF54D8919ADBBF1EF45308F2480D9F806AB2A2DB71EE41DB51

Function 00B62716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B621D0,?,?,00000034,00000800,?,00000034), ref: 00B6B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B62760

Part of subcall function 00B6B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00B6B3F8

Part of subcall function 00B6B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00B6B355
Part of subcall function 00B6B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B62194,00000034,?,?,00001004,00000000,00000000), ref: 00B6B365
Part of subcall function 00B6B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B62194,00000034,?,?,00001004,00000000,00000000), ref: 00B6B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B6281A

Strings

@, xrefs: 00B62832

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2617d0f8f4c1011f5ffa67cfcce8ba40cb55023c94f1ad461f43c429c497bb9c
Instruction ID: dfd7fb9b7bb628c5ca7a26369576aa65682cbfd39ec91dcf8aa3afc054394406
Opcode Fuzzy Hash: 2617d0f8f4c1011f5ffa67cfcce8ba40cb55023c94f1ad461f43c429c497bb9c
Instruction Fuzzy Hash: 71410C76900218AFDB10DFA4CD46EEEBBB8EF09700F108095FA55B7181DB746E85CBA1

Function 00B3172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00B31769
_free.LIBCMT ref: 00B31834
_free.LIBCMT ref: 00B3183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00B31760, 00B31767, 00B31796, 00B317CE

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 4aad6c51ba75ece91999fa831f68a1e2422925d037a92a87d0a8ba98be989305
Instruction ID: 88ec7ecd993728cd821f0f6fcf7d59c9ccf9877880be2d521a750a12f879925a
Opcode Fuzzy Hash: 4aad6c51ba75ece91999fa831f68a1e2422925d037a92a87d0a8ba98be989305
Instruction Fuzzy Hash: 3A315EB5A41218FBDB21DB9D9C85D9EBBFCEB85310F2445E7F804A7211EA709E40CB94

Function 00B6C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B6C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00B6C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BD1990,01635870), ref: 00B6C395

Strings

0, xrefs: 00B6C2DF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: e7a4875a23726b53a0dff5b75b6fbbff9cb041fdfc7e855053a07acfd37b0f91
Instruction ID: f708a4e7eafe14a01c2096e1113998f9d80e9cb622a00c500905040abb6c062e
Opcode Fuzzy Hash: e7a4875a23726b53a0dff5b75b6fbbff9cb041fdfc7e855053a07acfd37b0f91
Instruction Fuzzy Hash: 90418F312043019FD720DF25D885B6ABFE8EB85310F14869EF9A5973D2D734E904CB6A

Function 00B94416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B9CC08,00000000,?,?,?,?), ref: 00B944AA
GetWindowLongW.USER32 ref: 00B944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B944D7

Strings

SysTreeView32, xrefs: 00B9447C

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c9ab9499ac80881fb3410e5bb26a5d3d215ceb28801a331b1c0f821d7664bdcf
Instruction ID: 4775337ce0a872c2c7127aec7076b00d9ab1d7f637e0b6f6bf811bb084e51aa7
Opcode Fuzzy Hash: c9ab9499ac80881fb3410e5bb26a5d3d215ceb28801a331b1c0f821d7664bdcf
Instruction Fuzzy Hash: A2317C31210205ABDF208E78DC85FEA7BE9EB09324F214765F979A32E0DB70EC519B50

Function 00B8304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00B83077,?,?), ref: 00B83378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B8307A
_wcslen.LIBCMT ref: 00B8309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00B83106

Strings

255.255.255.255, xrefs: 00B83095, 00B8309A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6618ce215cd6a67e23e625f8423dfc424168b9bb87caa7c746551275deb03db4
Instruction ID: 6b0edb380842aaddfa2513a32ed9ad8d57e594ff39657f30df1aedb6e44a49cc
Opcode Fuzzy Hash: 6618ce215cd6a67e23e625f8423dfc424168b9bb87caa7c746551275deb03db4
Instruction Fuzzy Hash: 0E31AF356042059FCB10EF28C5C5FAA7BE1EF14F18F248099E9169B3A2DB72EE41C760

Function 00B93EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B93F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B93F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B93F78

Strings

SysMonthCal32, xrefs: 00B93F0B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3c9a2a4e0962d05db3ab4b883fdeb397688a0d0a1afcb269939b06e8d7756fd7
Instruction ID: 5e63877e87f81089541ebd399428917da6764860b07c01f96e52ff77efcaa4fb
Opcode Fuzzy Hash: 3c9a2a4e0962d05db3ab4b883fdeb397688a0d0a1afcb269939b06e8d7756fd7
Instruction Fuzzy Hash: ED219F32600219BBDF218F54CC86FEA3BB9EB48714F110265FA156B1D0DAB5A9508BA0

Function 00B94653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B94705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B94713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B9471A

Strings

msctls_updown32, xrefs: 00B94684

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3acd9b85357ca11d6b83ba66ebbfbd026c62af0d2fe6e74804073c16ff0a328f
Instruction ID: a948efccb8a39b015e0a96ef882ecdc086d1ed79c13c665094ae4e25d4e69dd2
Opcode Fuzzy Hash: 3acd9b85357ca11d6b83ba66ebbfbd026c62af0d2fe6e74804073c16ff0a328f
Instruction Fuzzy Hash: F22160B5600208AFDB10DF68DCD1DBB37EDEB4A394B040499FA009B291DB34EC12CA60

Function 00B695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B6961D

Strings

#requireadmin, xrefs: 00B695D9
#notrayicon, xrefs: 00B695B7
#OnAutoItStartRegister, xrefs: 00B695F3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 4b86a327c4d0ad3ad5004230fc4f0fa579274549090a3c8479e3307ee216348a
Instruction ID: d86f3d447279fba3024032597a0574bf58f44c6292cd6fd17a4556e7e6bd1bc1
Opcode Fuzzy Hash: 4b86a327c4d0ad3ad5004230fc4f0fa579274549090a3c8479e3307ee216348a
Instruction Fuzzy Hash: DA213572204721A6C731AA24DC42FBBB3DCEFA1310F1440BAF94AD7081EBB9AD45C295

Function 00B937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B93840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B93850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B93876

Strings

Listbox, xrefs: 00B9380F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9f047c0b95823048dec75747250bc1d89187247d51918ea2a22914834b2c0689
Instruction ID: ec449ad898127661203eba87675e36484613eb4220b409608dfeaa3229d225bd
Opcode Fuzzy Hash: 9f047c0b95823048dec75747250bc1d89187247d51918ea2a22914834b2c0689
Instruction Fuzzy Hash: BB21A472610118BBEF218F94CC85FBB3BEEEF89B54F108165F9059B190DA76DC5187A0

Function 00B749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B74A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B74A5C
SetErrorMode.KERNEL32(00000000,?,?,00B9CC08), ref: 00B74AD0

Strings

%lu, xrefs: 00B74A6F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 0d04489ce236d0857ee3fd80f3b4a67ffe69f91629c24795da2c51e83cdbec3c
Instruction ID: cbf78ec5fc2d51587b339ae2b05575f5976f8bc0c0025e11bb66d99f25d1b687
Opcode Fuzzy Hash: 0d04489ce236d0857ee3fd80f3b4a67ffe69f91629c24795da2c51e83cdbec3c
Instruction Fuzzy Hash: D6312375A00109AFDB10DF54C985EAA7BF8EF09304F1480E5F909DB2A2DB75ED45CB61

Function 00B941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B9424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B94264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B94271

Strings

msctls_trackbar32, xrefs: 00B94226

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3edd1a41a1a81572c85ef822661fba0da5f2f039ecc9984209142cf06e0784ac
Instruction ID: c4dfe5824870c8e0d5f77931f29e00723c5fe9a9a91f7b8b44b21e5b221b5bba
Opcode Fuzzy Hash: 3edd1a41a1a81572c85ef822661fba0da5f2f039ecc9984209142cf06e0784ac
Instruction Fuzzy Hash: DE11E332250208BEEF205F29CC46FAB3BECEF85B54F110524FA55E60A0D671DC529B20

Function 00B62F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

Part of subcall function 00B62DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B62DC5
Part of subcall function 00B62DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B62DD6
Part of subcall function 00B62DA7: GetCurrentThreadId.KERNEL32 ref: 00B62DDD
Part of subcall function 00B62DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B62DE4

GetFocus.USER32 ref: 00B62F78

Part of subcall function 00B62DEE: GetParent.USER32(00000000), ref: 00B62DF9

GetClassNameW.USER32(?,?,00000100), ref: 00B62FC3
EnumChildWindows.USER32(?,00B6303B), ref: 00B62FEB

Strings

%s%d, xrefs: 00B62FFF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: cdcb51dd220fa58bb2a98c7494c27d5f2a24a4a9b1e6195ef46ee90fd027a25d
Instruction ID: f9bd64c85e701573ee32672d54ba3d36b9ce4a8cd4536ca60925506c189f45c7
Opcode Fuzzy Hash: cdcb51dd220fa58bb2a98c7494c27d5f2a24a4a9b1e6195ef46ee90fd027a25d
Instruction Fuzzy Hash: BC11A2B56002056BDF157F64CC86FEE3BEAEF94304F0440B5F9099B1A2DE3499498B60

Function 00B95882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B958EE
DrawMenuBar.USER32(?), ref: 00B958FD

Strings

0, xrefs: 00B9588F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: c299a6c7532d7483256efe54c7300a0c59f3e343dc7c0a781fa06b5b34202e2e
Instruction ID: a62a92deb9851045193a990232e71682a0156893f4ff4efa8430686b6ba732bf
Opcode Fuzzy Hash: c299a6c7532d7483256efe54c7300a0c59f3e343dc7c0a781fa06b5b34202e2e
Instruction Fuzzy Hash: B2015B32500218EFDF229F21DC85BAEBBB4FB45760F1080EAE849D6251DB308A84DF31

Function 00B5D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00B5D3BF
FreeLibrary.KERNEL32 ref: 00B5D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00B5D3B9
X64, xrefs: 00B5D2A8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 66b46688b97ce92142c506a6ed88213564f37a823cc2b64f4aaf35e97b0b157d
Instruction ID: 789a720242f28ce24ff0a61fc8751910f54e350de271804dccdd119d06f2485e
Opcode Fuzzy Hash: 66b46688b97ce92142c506a6ed88213564f37a823cc2b64f4aaf35e97b0b157d
Instruction Fuzzy Hash: 4AF05522405A11ABC7345710CC88B6937E4EF21703FA083DEF806F20A4EB61CD8CCE4A

Function 00B6007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84cad3813af27bee60ff9e8af489ba4bca701914ccbf23bf859b069e024fddeb
Instruction ID: 1810d8d51bb1d1ea68e245d8503b5a709c6ae5358e4995ca0cb14e0f7568b9cc
Opcode Fuzzy Hash: 84cad3813af27bee60ff9e8af489ba4bca701914ccbf23bf859b069e024fddeb
Instruction Fuzzy Hash: 3AC14875A1020AAFCB14DFA9C894AAEB7F5FF48304F2085D8E505EB251D735EE41CB90

Function 00B33E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B33F0B
__alldvrm.LIBCMT ref: 00B3410C
__alldvrm.LIBCMT ref: 00B3412E

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: d3933e0edb7c63d2ac8c05fb3bf844a0da6f2158aeafa9e44d00c507685f6203
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 8AA12671E00A969FDB15CF28C8917AABFE5EF61350F2841EDE5859B281C338A981C750

Function 00B8342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B83459
CoUninitialize.OLE32 ref: 00B83463
VariantInit.OLEAUT32(?), ref: 00B8346E
VariantClear.OLEAUT32(?), ref: 00B8371B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 987ad02d5df40fae118f735becba313569fac76e3897583cbcc21ff94ee5ecd4
Instruction ID: 4a68c1649227ecb75a49a70114c2a3deee8778aa311385497be5d5e71d51a7b2
Opcode Fuzzy Hash: 987ad02d5df40fae118f735becba313569fac76e3897583cbcc21ff94ee5ecd4
Instruction Fuzzy Hash: 84A13D756143019FC700EF28C995A6ABBE5FF88B14F048899F9499B3A2DB30EE45CB51

Function 00B60436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B9FC08,?), ref: 00B605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B9FC08,?), ref: 00B60608
CLSIDFromProgID.OLE32(?,?,00000000,00B9CC40,000000FF,?,00000000,00000800,00000000,?,00B9FC08,?), ref: 00B6062D
_memcmp.LIBVCRUNTIME ref: 00B6064E

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0d56f4da44ac5bd7330d1e48b1d70b4f5b204879a751cc5c621361cf6d5c11a6
Instruction ID: 3963a41d749c590653540d95eb1ad9b2bb13e9f2c7b97dfb487859f1f8a2b123
Opcode Fuzzy Hash: 0d56f4da44ac5bd7330d1e48b1d70b4f5b204879a751cc5c621361cf6d5c11a6
Instruction Fuzzy Hash: F9810971A10109EFCB04DF94C984EEEB7F9FF89315F208599E506AB250DB75AE06CB60

Function 00B8A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B8A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00B8A6BA

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Process32NextW.KERNEL32(00000000,?), ref: 00B8A79C
CloseHandle.KERNEL32(00000000), ref: 00B8A7AB

Part of subcall function 00B1CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00B43303,?), ref: 00B1CE8A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 9eaabe40877909c375ae5072d7f7649f653f7537803fe357e67f96932a016999
Instruction ID: 7348216c10058601411d16f7b16b2f664f23b9bee2ddc43bebbfc410c753b07a
Opcode Fuzzy Hash: 9eaabe40877909c375ae5072d7f7649f653f7537803fe357e67f96932a016999
Instruction Fuzzy Hash: 44515C71508301AFD710EF24C886E6BBBE8FF89754F40895DF585972A2EB70E944CB92

Function 00B41391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B414C0

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 295f5ebcaef203803d72103720059a9c9fccdf96295aad7a02f8d1d07b7dfdd2
Instruction ID: cbea2e3baafc13e98616ba95cf7f682beb9df0fd94d979a84de43ba83f543e0a
Opcode Fuzzy Hash: 295f5ebcaef203803d72103720059a9c9fccdf96295aad7a02f8d1d07b7dfdd2
Instruction Fuzzy Hash: 49414D31E00121ABDB216BBDAC456BE3AF4EF42370F244AF5F41DD6391E7744A817A61

Function 00B96278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B962E2
ScreenToClient.USER32(?,?), ref: 00B96315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00B96382

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 73c2ac34119f18fe0327c01faf0cc43e6a01b5e2647b0ccd782d4232f01624ed
Instruction ID: b0bd06143b5bf2ecc708ef792dde452784ab861c8170fd3c65c86ce92fa23436
Opcode Fuzzy Hash: 73c2ac34119f18fe0327c01faf0cc43e6a01b5e2647b0ccd782d4232f01624ed
Instruction Fuzzy Hash: 52510C74904209AFDF14DF68D9909AE7BF5EB45360F1085AAF815972A1D730ED41CB50

Function 00B81AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B81AFD
WSAGetLastError.WSOCK32 ref: 00B81B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B81B8A
WSAGetLastError.WSOCK32 ref: 00B81B94

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: a186e949af0faa66a7455e16b872299344c1ac2409198ce3b29b1250a5a48391
Instruction ID: e27a6b2e4ac4d4ccb6abb8b166c3ac11b42195d188809a50df8506ac28acc40f
Opcode Fuzzy Hash: a186e949af0faa66a7455e16b872299344c1ac2409198ce3b29b1250a5a48391
Instruction Fuzzy Hash: 4B4185746402006FD720AF24C886F657BE5EB44718F5485D8F51A9F3D2D772DD82CB91

Function 00B3B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43260c8f43fca8cf621919cd5c26bedf6a13b01b2225776708db6f98b380f41
Instruction ID: 999a067dd00fa8febc0e8683dd4b7d39724a731794813fd1ca1f2f768b9e6cf8
Opcode Fuzzy Hash: d43260c8f43fca8cf621919cd5c26bedf6a13b01b2225776708db6f98b380f41
Instruction Fuzzy Hash: 12410676A00314BFD7249F38CC41F6ABBE9EB88710F2045AEF255DB382D77199418780

Function 00B756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B75783
GetLastError.KERNEL32(?,00000000), ref: 00B757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B757FA

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 3a1db63888cc0ff18129af9a8a02bf0569ef1f36f02b4513680c2864bef2e4f7
Instruction ID: 3c92c63fe48e47265c071f458f24be87c150101c5378523a1737bde7983e70ec
Opcode Fuzzy Hash: 3a1db63888cc0ff18129af9a8a02bf0569ef1f36f02b4513680c2864bef2e4f7
Instruction Fuzzy Hash: 0F411D39610610DFCB21DF15C554A5EBBE2EF99720B19C4C8E85AAB3A2CB74FD40CB91

Function 00B3D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00B26D71,00000000,00000000,00B282D9,?,00B282D9,?,00000001,00B26D71,8BE85006,00000001,00B282D9,00B282D9), ref: 00B3D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B3D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B3D9AB
__freea.LIBCMT ref: 00B3D9B4

Part of subcall function 00B33820: RtlAllocateHeap.NTDLL(00000000,?,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6,?,00B01129), ref: 00B33852

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 40c12f1d7db05380b1b172ac84fc3a22c0476b0d4b9b338aea557744bc4e4c89
Instruction ID: cee5722286be19968c40c08a1c5abe8a40b902718f89bc01957e68ea1ff61dc8
Opcode Fuzzy Hash: 40c12f1d7db05380b1b172ac84fc3a22c0476b0d4b9b338aea557744bc4e4c89
Instruction Fuzzy Hash: 0D31E172A0021AABDF25DF64EC81EAE7BE5EB40310F2502A8FC04D7250EB35CD50CBA0

Function 00B952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00B95352
GetWindowLongW.USER32(?,000000F0), ref: 00B95375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B95382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B953A8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: c51da73b0b42c7d5e3ba33cb3c99122fc8edc6fd4473ae3ba7a3382c17748fe8
Instruction ID: 258b0f02bb8c653d6bd81754d2bad2d6c9f8d640dada061bf933ce7d6a409e51
Opcode Fuzzy Hash: c51da73b0b42c7d5e3ba33cb3c99122fc8edc6fd4473ae3ba7a3382c17748fe8
Instruction Fuzzy Hash: 4131F230AD9A0CEFEF329F14CC55BE877E5EB05390F5841A2FA02871E1C7B099809B59

Function 00B6AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00B6ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B6AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B6AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00B6ACC6

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c295ba6e6273dec1f50415b81457e90cd50f4408a50371ff9a1bcbf160c27f59
Instruction ID: 38f0c6c9fdb8566b9021169615f9800a592898d0922af64ee469ee0d0a0d12c4
Opcode Fuzzy Hash: c295ba6e6273dec1f50415b81457e90cd50f4408a50371ff9a1bcbf160c27f59
Instruction Fuzzy Hash: EF310730A047186FEF35CB658C05BFA7BE9EB89310F04439AE485A31D1C37DD9859B52

Function 00B97674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B9769A
GetWindowRect.USER32(?,?), ref: 00B97710
PtInRect.USER32(?,?,00B98B89), ref: 00B97720
MessageBeep.USER32(00000000), ref: 00B9778C

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6e2550aa3ba97b77edcecd87aae8281d8764b3d02d3dc1d8f5e96a8fabc7ce27
Instruction ID: bdb64018c57b7a7a1b5ca4bb151e85f6028e797fad532406ac0da8d0ab63b120
Opcode Fuzzy Hash: 6e2550aa3ba97b77edcecd87aae8281d8764b3d02d3dc1d8f5e96a8fabc7ce27
Instruction Fuzzy Hash: 2F417E34655214EFCF01CF98C8A4EA9BBF5FB49314F1540F9E4249B261DB38AD42CB90

Function 00B916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B916EB

Part of subcall function 00B63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B63A57
Part of subcall function 00B63A3D: GetCurrentThreadId.KERNEL32 ref: 00B63A5E
Part of subcall function 00B63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B625B3), ref: 00B63A65

GetCaretPos.USER32(?), ref: 00B916FF
ClientToScreen.USER32(00000000,?), ref: 00B9174C
GetForegroundWindow.USER32 ref: 00B91752

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b95a25ab9ddb615be82036166a62bf8162d777af743e05ca5d4799c7765731b2
Instruction ID: e4795a8dbd2713df25b6cdd399e73d6f8df542ea05fcae7249a591d5117ffe34
Opcode Fuzzy Hash: b95a25ab9ddb615be82036166a62bf8162d777af743e05ca5d4799c7765731b2
Instruction Fuzzy Hash: 9A3154B5D00149AFDB00DFA9C981CAEBBF9EF48304B5084EAE415E7251DB35DE45CBA1

Function 00B6DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00B07620: _wcslen.LIBCMT ref: 00B07625

_wcslen.LIBCMT ref: 00B6DFCB
_wcslen.LIBCMT ref: 00B6DFE2
_wcslen.LIBCMT ref: 00B6E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00B6E018

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 4cbeb88f0a7456b25a1dfb83a369516b4a69fe802bfb3bb60c2c750099a11ca1
Instruction ID: 4a8f5f56216af229b91c0f455c8939bdcf2cb7413b9b8daca3817c90a11134ff
Opcode Fuzzy Hash: 4cbeb88f0a7456b25a1dfb83a369516b4a69fe802bfb3bb60c2c750099a11ca1
Instruction Fuzzy Hash: F021A375D00214EFCB219FA8D982BAEB7F8EF45750F1440A5E805BB285D7B49E41CBA1

Function 00B98FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

GetCursorPos.USER32(?), ref: 00B99001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B57711,?,?,?,?,?), ref: 00B99016
GetCursorPos.USER32(?), ref: 00B9905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B57711,?,?,?), ref: 00B99094

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2417fb9310821effdf5f12c26535f404d3aee96ed700cdcffd4375959125ec01
Instruction ID: 44d4e3fd56d961a52bd0ab84952abc9ed35bfbc18c075293b09d0fda6c7c13dd
Opcode Fuzzy Hash: 2417fb9310821effdf5f12c26535f404d3aee96ed700cdcffd4375959125ec01
Instruction Fuzzy Hash: 1821BF35600018FFCF658F99C868EEA7BF9EB49350F0040AAF91547261D73299A0DB60

Function 00B6D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B9CB68), ref: 00B6D2FB
GetLastError.KERNEL32 ref: 00B6D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B6D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B9CB68), ref: 00B6D376

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: eef6a841d5f9cbef4a7d590a2414dd1957b8cfa6526ba67cdc864cbaff353d8d
Instruction ID: 296a097b6d18bcdb8d370dc19049790a7f06b414829c250e7d63e4da82fd6ff6
Opcode Fuzzy Hash: eef6a841d5f9cbef4a7d590a2414dd1957b8cfa6526ba67cdc864cbaff353d8d
Instruction Fuzzy Hash: 49218D70A083019FC710DF28C98186A7BE8EE56364F504A9EF499C73E1EB349945CB97

Function 00B61571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B6102A
Part of subcall function 00B61014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B61036
Part of subcall function 00B61014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B61045
Part of subcall function 00B61014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B6104C
Part of subcall function 00B61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B61062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B615BE
_memcmp.LIBVCRUNTIME ref: 00B615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B61617
HeapFree.KERNEL32(00000000), ref: 00B6161E

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 64c11cfd1e543f52c6771708ced3dcbe44f8da8c49ed92dc5e9487d3e73f5c39
Instruction ID: 4c089d1164d5004cc09aff2a2c873087efc88dbd1d7f0086f2aa0eb0cbf204ce
Opcode Fuzzy Hash: 64c11cfd1e543f52c6771708ced3dcbe44f8da8c49ed92dc5e9487d3e73f5c39
Instruction Fuzzy Hash: 82217C71E00109EFDF10DFA8C945BEEB7F8EF54354F188899E445AB251E778AA05CBA0

Function 00B92782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00B9280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B92824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B92832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B92840

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 44e2cad18f7b6d81bbcae29e5fcdaed581fafa6728d617f4e5e6cf5dda8c50a4
Instruction ID: ac59429422969c20ec99c6c45e5d20a2aebe18c2fec4ebff35eacdb85f320a55
Opcode Fuzzy Hash: 44e2cad18f7b6d81bbcae29e5fcdaed581fafa6728d617f4e5e6cf5dda8c50a4
Instruction Fuzzy Hash: C521B031605111BFDB14DB24CC85FAA7BD5EF46324F1481A9F42A8B6E2CB75EC42C790

Function 00B678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B68D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00B6790A,?,000000FF,?,00B68754,00000000,?,0000001C,?,?), ref: 00B68D8C
Part of subcall function 00B68D7D: lstrcpyW.KERNEL32(00000000,?,?,00B6790A,?,000000FF,?,00B68754,00000000,?,0000001C,?,?,00000000), ref: 00B68DB2
Part of subcall function 00B68D7D: lstrcmpiW.KERNEL32(00000000,?,00B6790A,?,000000FF,?,00B68754,00000000,?,0000001C,?,?), ref: 00B68DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00B68754,00000000,?,0000001C,?,?,00000000), ref: 00B67923
lstrcpyW.KERNEL32(00000000,?,?,00B68754,00000000,?,0000001C,?,?,00000000), ref: 00B67949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B68754,00000000,?,0000001C,?,?,00000000), ref: 00B67984

Strings

cdecl, xrefs: 00B6797B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 3141b33dd663856e9deb469846d9418259988d98299509b4108f52b2c405e8bd
Instruction ID: a04e88627b1959b7829ebc872f6c6f7a9e32bb91c43febf735623a2b705c4df6
Opcode Fuzzy Hash: 3141b33dd663856e9deb469846d9418259988d98299509b4108f52b2c405e8bd
Instruction Fuzzy Hash: C111223A200302BBCB159F38C844E7A77E9FF85394B40406AF902CB2A4EF359801C7A1

Function 00B97CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00B97D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00B97D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B97D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B7B7AD,00000000), ref: 00B97D6B

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: eedba2581995b3c5542d5095f3c8f42f713976cdf197b0d1e490eb139f8f18ac
Instruction ID: 2889e29ddb2e537c7a8423452024ea59aa9ad3c9f84be8cc37f95e65a9063f50
Opcode Fuzzy Hash: eedba2581995b3c5542d5095f3c8f42f713976cdf197b0d1e490eb139f8f18ac
Instruction Fuzzy Hash: 9A1188B2225614ABCF108F68CC04AA63BE4EF46360B118775F839C72F0EB308951CB50

Function 00B95660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00B956BB
_wcslen.LIBCMT ref: 00B956CD
_wcslen.LIBCMT ref: 00B956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B95816

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 4291d4d6dd3b0502a272f645bbe44a9e3fa40e7ebac9221aa84c936a38a25c33
Instruction ID: 6afd3dbcc1f561ca863e34d68e404ffac0edbbf679f9921b0e6d8432e06e0fd7
Opcode Fuzzy Hash: 4291d4d6dd3b0502a272f645bbe44a9e3fa40e7ebac9221aa84c936a38a25c33
Instruction Fuzzy Hash: 8711D375680618AADF31DF65DCC5AEE77ECEF11760B1040B6F915D6182EB70DA80CB60

Function 00B31D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f41c093cc99a5b4b92178f56bbd7e169c26c8b358b7c50da0a7200ba277a28c
Instruction ID: 5c3d75f4845dcb510b8c360ea7cb3aeaf243e4b1790b709a1c5a79dfeab92302
Opcode Fuzzy Hash: 8f41c093cc99a5b4b92178f56bbd7e169c26c8b358b7c50da0a7200ba277a28c
Instruction Fuzzy Hash: 01012CB62096167EE6112A7C6CC1F67769DDF423B8F3507B6B535611D2DB609C005170

Function 00B61A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B61A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B61A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B61A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B61A8A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: be089a2aa61e597d039254115b55a93eb1d7c005bd76fc4116a070092e78006b
Instruction ID: a099ac7d896865435d9ccc4072d512343ca1fe3bbc4c9abe6e83cd03afee2622
Opcode Fuzzy Hash: be089a2aa61e597d039254115b55a93eb1d7c005bd76fc4116a070092e78006b
Instruction Fuzzy Hash: BF112A3A901219FFEB10DBA8C985FADBBB8EB04750F240491E614B7290D6716E50DB94

Function 00B6E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B6E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00B6E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B6E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B6E24D

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 9be7bca23f94e67522c6d91dc7c60a74c40627a1f8adc80d4d0e26dbaaa71f10
Instruction ID: 186ed169f64d0ad3a4371d6283893594c48d1077d18885046242a34dd42d3c15
Opcode Fuzzy Hash: 9be7bca23f94e67522c6d91dc7c60a74c40627a1f8adc80d4d0e26dbaaa71f10
Instruction Fuzzy Hash: 2611DB76904254BFC7019FACDD19A9E7FEDEB45320F044666F924E3291DB74CD0487A4

Function 00B2D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B2CFF9,00000000,00000004,00000000), ref: 00B2D218
GetLastError.KERNEL32 ref: 00B2D224
__dosmaperr.LIBCMT ref: 00B2D22B
ResumeThread.KERNEL32(00000000), ref: 00B2D249

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c6fb0153564774ef9da4bd7b29930b236d12c6494f24b320d16d20e20b5e5c5c
Instruction ID: a5198819d693e71cf513bed84b2dbef37c85a4f9a1c6774c578ab988597930e7
Opcode Fuzzy Hash: c6fb0153564774ef9da4bd7b29930b236d12c6494f24b320d16d20e20b5e5c5c
Instruction Fuzzy Hash: 3B01D636405124FBDB115BA5EC09BAE7EE9DF81331F100299F92DA21D0CF708901C6A1

Function 00B99EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

GetClientRect.USER32(?,?), ref: 00B99F31
GetCursorPos.USER32(?), ref: 00B99F3B
ScreenToClient.USER32(?,?), ref: 00B99F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00B99F7A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f98b8bb055041c12660fde37d5fd6256626b9ccba974bc214f24191413adbeff
Instruction ID: 0307d9e574272e6b930af7db89c87d40842bcd677551d9fca7260b31d53780de
Opcode Fuzzy Hash: f98b8bb055041c12660fde37d5fd6256626b9ccba974bc214f24191413adbeff
Instruction Fuzzy Hash: 51115A3290051ABBDF50DFA8C985AEEBBF8FB05311F4004AAF911E3150D730BA81CBA1

Function 00B0600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B0604C
GetStockObject.GDI32(00000011), ref: 00B06060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B0606A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f84a4ae2b2938bfb9b14101287a25f471e411b62282031b67e7bf14d9a2a743b
Instruction ID: f5527b00422564350fb91c42628d87662e89b65060ab3f3663cff86f24560de5
Opcode Fuzzy Hash: f84a4ae2b2938bfb9b14101287a25f471e411b62282031b67e7bf14d9a2a743b
Instruction Fuzzy Hash: 4D116D72541509BFEF164FA4DC94EEABFA9EF083A4F044256FA1452150EB369C60EBA0

Function 00B23B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00B23B56

Part of subcall function 00B23AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00B23AD2
Part of subcall function 00B23AA3: ___AdjustPointer.LIBCMT ref: 00B23AED

_UnwindNestedFrames.LIBCMT ref: 00B23B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00B23B7C
CallCatchBlock.LIBVCRUNTIME ref: 00B23BA4

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 2de09faea756cd9af6cf031c4b01908c632fb02d5999015e2633acf4b0f6fd62
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2C012932100158BBDF126E95EC46EEB7FEAEF49B54F044094FE4C56121C736E961DBA0

Function 00B33073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B013C6,00000000,00000000,?,00B3301A,00B013C6,00000000,00000000,00000000,?,00B3328B,00000006,FlsSetValue), ref: 00B330A5
GetLastError.KERNEL32(?,00B3301A,00B013C6,00000000,00000000,00000000,?,00B3328B,00000006,FlsSetValue,00BA2290,FlsSetValue,00000000,00000364,?,00B32E46), ref: 00B330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B3301A,00B013C6,00000000,00000000,00000000,?,00B3328B,00000006,FlsSetValue,00BA2290,FlsSetValue,00000000), ref: 00B330BF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 9cb4eda5a69816b7961be60e28a6eb03cd732542c8028e0afc348eae06dfdf2f
Instruction ID: 6b55d416cf526929ef694d93adc5bfb892da2ac8ee2bbe73c82e8c97522ac13d
Opcode Fuzzy Hash: 9cb4eda5a69816b7961be60e28a6eb03cd732542c8028e0afc348eae06dfdf2f
Instruction Fuzzy Hash: 6301F232302622ABCB354B7CAC84B677BD8EF05FA1F300661F906E7150DB21DA05CAE0

Function 00B67464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00B6747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B67497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B674CA

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7be2bb8d6bae58ab5361b84c1a7c8e8dfb21e493d50895f4832ffc2bc7ed06fb
Instruction ID: 737cac83dd7b874e4d8095c7bf8a9fdcb7043ad3aed00338eeb0c8c243cd523a
Opcode Fuzzy Hash: 7be2bb8d6bae58ab5361b84c1a7c8e8dfb21e493d50895f4832ffc2bc7ed06fb
Instruction Fuzzy Hash: A4118EB52453109BE7208F14ED4CB927FFCEB40B08F1085AAA61AD7251DF78E904DBA0

Function 00B6B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B6ACD3,?,00008000), ref: 00B6B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B6ACD3,?,00008000), ref: 00B6B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B6ACD3,?,00008000), ref: 00B6B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B6ACD3,?,00008000), ref: 00B6B126

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 5a8d0a3123683abe549d49aa1bd09b892f1604924b5daf9796a49ccc144758e8
Instruction ID: 374ed9571ac17e9a4181084bf5412b8796a30dc4a1f43dfe7067c687a3bb58b7
Opcode Fuzzy Hash: 5a8d0a3123683abe549d49aa1bd09b892f1604924b5daf9796a49ccc144758e8
Instruction Fuzzy Hash: 5C115B31C1152CEBCF00AFE4E998AEEBFB8FF0A711F104086D951B3185CB3496908B55

Function 00B97E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B97E33
ScreenToClient.USER32(?,?), ref: 00B97E4B
ScreenToClient.USER32(?,?), ref: 00B97E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B97E8A

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 23334eacfac3969e56982e01749ce54095cabd5b397a815081fc138681d66cd8
Instruction ID: 6714d5cbc88809564ea6b297a51ad0b4b0129775cef85b4e9638af249349448e
Opcode Fuzzy Hash: 23334eacfac3969e56982e01749ce54095cabd5b397a815081fc138681d66cd8
Instruction Fuzzy Hash: 971114B9D0024AAFDB41DF98C9849EEBBF9FF08310F505066E915E3210D735AA55CF50

Function 00B62DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B62DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B62DD6
GetCurrentThreadId.KERNEL32 ref: 00B62DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B62DE4

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 30d4d04ef4aa6c8b6804af1c00d35d7f36c72ef8d86866bc7bda1705f20ac66e
Instruction ID: fc26267e2052397e48a5c7692e316698abf0b5c6d3426313699ad216edcd4805
Opcode Fuzzy Hash: 30d4d04ef4aa6c8b6804af1c00d35d7f36c72ef8d86866bc7bda1705f20ac66e
Instruction Fuzzy Hash: EEE092711016247BEB201B729D0DFEB3EACEF43BA1F500466F505D30909EA5C840C6B0

Function 00B98863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B19693
Part of subcall function 00B19639: SelectObject.GDI32(?,00000000), ref: 00B196A2
Part of subcall function 00B19639: BeginPath.GDI32(?), ref: 00B196B9
Part of subcall function 00B19639: SelectObject.GDI32(?,00000000), ref: 00B196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00B98887
LineTo.GDI32(?,?,?), ref: 00B98894
EndPath.GDI32(?), ref: 00B988A4
StrokePath.GDI32(?), ref: 00B988B2

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 51f2fa2b4ea360b5ef4585c4e186e6c52541befe9520ba3e93ce67f0b2192786
Instruction ID: 44d3767ae3ea92edd93bf3f9e8cc36798898f2920be7134c7e0475ee1b701a15
Opcode Fuzzy Hash: 51f2fa2b4ea360b5ef4585c4e186e6c52541befe9520ba3e93ce67f0b2192786
Instruction Fuzzy Hash: 88F05E36042258FADB126F94AD19FCE3F59AF06310F448042FA11660E2CB795652CFF9

Function 00B198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B198CC
SetTextColor.GDI32(?,?), ref: 00B198D6
SetBkMode.GDI32(?,00000001), ref: 00B198E9
GetStockObject.GDI32(00000005), ref: 00B198F1

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e67915d402268b88383fa2af499d05522f1f9cf427c3e11a8b92f75de3f3f9d7
Instruction ID: 2483ea922bf256f635039b3c687b9329e50844670404d8d4072502c6e53943b1
Opcode Fuzzy Hash: e67915d402268b88383fa2af499d05522f1f9cf427c3e11a8b92f75de3f3f9d7
Instruction Fuzzy Hash: F8E06D31284290ABEB215B74BD19BE83F60EB12376F04C25AFBFA690E1CB7146449B10

Function 00B6162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B61634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B611D9), ref: 00B6163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B611D9), ref: 00B61648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B611D9), ref: 00B6164F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5322a7bf0c88d72d537e36c02037394a9e51c7e57c63c7487c4e0d47083d925b
Instruction ID: 9544602fe3a038ac91492610a7aa6b7a97074c8b14698f24c2e9684156e7d71b
Opcode Fuzzy Hash: 5322a7bf0c88d72d537e36c02037394a9e51c7e57c63c7487c4e0d47083d925b
Instruction Fuzzy Hash: 35E08635601211EBD7201FA49F0DB463FBCEF44791F188849F245CA080DA384440C764

Function 00B5D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B5D858
GetDC.USER32(00000000), ref: 00B5D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B5D882
ReleaseDC.USER32(?), ref: 00B5D8A3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 34fc4216a2d62d23296c007e6b338efaa34945b1103d6f5d5c521a22dbb654ad
Instruction ID: 476e80b33eb3cd68d2d4a87931a87ac490274a912d57e99d04834313a18494a8
Opcode Fuzzy Hash: 34fc4216a2d62d23296c007e6b338efaa34945b1103d6f5d5c521a22dbb654ad
Instruction Fuzzy Hash: 12E01AB1800205DFCF419FA0DA4C66DBFF1FB08311F14808AE806E7250CB399945EF50

Function 00B5D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B5D86C
GetDC.USER32(00000000), ref: 00B5D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B5D882
ReleaseDC.USER32(?), ref: 00B5D8A3

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9a47dd7187cf1cb2b5c96749c8cd3ae2d9a0491d58cc1504029117fe1afe2407
Instruction ID: 1560ae9b78da7b64fe385eda6f07cd616fefde3971c989543da15320422f8961
Opcode Fuzzy Hash: 9a47dd7187cf1cb2b5c96749c8cd3ae2d9a0491d58cc1504029117fe1afe2407
Instruction Fuzzy Hash: AAE092B5800205EFCF51AFA0DA4C66DBFF5BB08311F54848AE94AE7250CB399945EF50

Function 00B74D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B07620: _wcslen.LIBCMT ref: 00B07625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00B74ED4

Strings

*, xrefs: 00B74E10
LPT, xrefs: 00B74DFB

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 8e4566d67d2796df73fd338d71828bd696b22f3429a61842387f0158f755b414
Instruction ID: f42138214187d0a04964959c3fd9ee3f09364194e9f4855c4f04bfc64cfa886b
Opcode Fuzzy Hash: 8e4566d67d2796df73fd338d71828bd696b22f3429a61842387f0158f755b414
Instruction Fuzzy Hash: 4C913875A002049FCB14DF58C494EAABBF1EF49314F1980D9E81A9F3A2D771EE85CB91

Function 00B1E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B1E1B1

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: b8aa7f3c699637320db6091472c9e9a499a3b7a454fec6096e737ac1ed1ca19d
Instruction ID: dea0d144695cca922685dee9f9c4584e4c1fad6a867a6d189944e049c5b60377
Opcode Fuzzy Hash: b8aa7f3c699637320db6091472c9e9a499a3b7a454fec6096e737ac1ed1ca19d
Instruction Fuzzy Hash: 1D510275904256DFDB19DF28C491AFA7BE8EF19311F6440D5EC619B2C0DA30DE86CBA0

Function 00B1F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B1F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B1F2BB

Strings

@, xrefs: 00B1F2AF

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c72d91cb82d02a5783404a5526c5becb1d6d4711d60be6dd77ad690e10fa8ff4
Instruction ID: 96ae4bfa23501b197b6c9631be486ec996f2fdfa886582f1f5e773e657a0ec46
Opcode Fuzzy Hash: c72d91cb82d02a5783404a5526c5becb1d6d4711d60be6dd77ad690e10fa8ff4
Instruction Fuzzy Hash: 2B5135718087459BD320AF14DC86BABBBF8FB84300F81899DF1D9421A5EF709529CB67

Function 00B85745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00B857E0
_wcslen.LIBCMT ref: 00B857EC

Strings

CALLARGARRAY, xrefs: 00B857E6, 00B857EB

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 33da806050a2bd8235b8ee9d4473141cf66941fcb75eb02e0ff0be402ffecb2b
Instruction ID: 07347aaa3f071fbf423cb25c118adcb73d4d96b3d76d6cffbe667e74d4dee8a1
Opcode Fuzzy Hash: 33da806050a2bd8235b8ee9d4473141cf66941fcb75eb02e0ff0be402ffecb2b
Instruction Fuzzy Hash: C1418131E00209DFCB14EFA9C8819FEBBF5EF59354F5040AAE505A72A1EB749D81CB90

Function 00B7D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B7D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B7D13A

Strings

|, xrefs: 00B7D10B

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 43ef794619e511f688be3a94e05cbf9c5c25008077cfec130e30d3079daafbc1
Instruction ID: 75bea248a1a02cb6ea45d32bf0c36ea3726e686cf99c58a0130e16c2ca44ee7d
Opcode Fuzzy Hash: 43ef794619e511f688be3a94e05cbf9c5c25008077cfec130e30d3079daafbc1
Instruction Fuzzy Hash: 82311A71D00219ABCF15EFA4CC85AEE7FB9FF04340F404099F819A61A2DB31AA56CB60

Function 00B9356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B93621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B9365C

Strings

static, xrefs: 00B935BC

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 88b8b2e9c7f3909422361c8b81178ca06e6fa798a09fa14ca67ca11b5073a5a8
Instruction ID: c52314a7c8eb69491352eb5b5a6f0429bc68a06616fa2ea6aa5092616b9ca26f
Opcode Fuzzy Hash: 88b8b2e9c7f3909422361c8b81178ca06e6fa798a09fa14ca67ca11b5073a5a8
Instruction Fuzzy Hash: 4631AB71100204AADB10DF28CC80EFB77E9FF99B20F01866AF8A5D7290DA31AD81C760

Function 00B94537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00B9461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B94634

Strings

', xrefs: 00B9458E

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8e553eddbd3237917acd4b7f762a94810cce92aa2f18532798efaec718a9832e
Instruction ID: 6160e7e31eabc0a94f92fb9e46f42c36ce2e5ced8a3621d3a00949b3161c2a69
Opcode Fuzzy Hash: 8e553eddbd3237917acd4b7f762a94810cce92aa2f18532798efaec718a9832e
Instruction Fuzzy Hash: E03117B4A012099FDF14CFA9C990BDABBF5FB19300F1145AAE905AB341E770A942CF90

Function 00B931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B9327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B93287

Strings

Combobox, xrefs: 00B93249

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: cc768d48d567ec0d0476c9086fd3641729efe72081a2ccae757df21d91e6efac
Instruction ID: f5032379032b349ebf3d57112ab4842d92e71e53f7dce3ed1576ff27c72c035f
Opcode Fuzzy Hash: cc768d48d567ec0d0476c9086fd3641729efe72081a2ccae757df21d91e6efac
Instruction Fuzzy Hash: 181190713002087FEF259F94DC90EBB3BEAEB98764F104579F918A7291D6319D518760

Function 00B93710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B0604C
Part of subcall function 00B0600E: GetStockObject.GDI32(00000011), ref: 00B06060
Part of subcall function 00B0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B0606A

GetWindowRect.USER32(00000000,?), ref: 00B9377A
GetSysColor.USER32(00000012), ref: 00B93794

Strings

static, xrefs: 00B93757

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3f84b873a1f46759850f38d6842d961659e84dae2175996d7aa564d77f89f93f
Instruction ID: 5710c4e8ed6e119f5c33d02a398e2dd62d1b9b5938161bc14d8736d436e2e7a5
Opcode Fuzzy Hash: 3f84b873a1f46759850f38d6842d961659e84dae2175996d7aa564d77f89f93f
Instruction Fuzzy Hash: 271129B2610209AFDF00DFB8CD46EEA7BF8EB08714F014965F955E3250EB39E8519B50

Function 00B7CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B7CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B7CDA6

Strings

<local>, xrefs: 00B7CD66

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: eda71f3ca6fefc8395bdf97e93ddaca28d14d299e0660fdd46a23879c7d9457e
Instruction ID: b55c5cfaf695559fbbcf5321527351b3a421c6151fb09baf0b043450f61d750e
Opcode Fuzzy Hash: eda71f3ca6fefc8395bdf97e93ddaca28d14d299e0660fdd46a23879c7d9457e
Instruction Fuzzy Hash: DA11A371205631BAD7344A668C85EE7BEE8EB127A4F1082BEB12D93190D6649C40D6F0

Function 00B93429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B934BA

Strings

edit, xrefs: 00B9348F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6e7683af5cf78506dc22abcdf8d36c432c2541fefb965815218cfc9556eb125b
Instruction ID: 78dbfcf5516afc7cf5b0d79a08374d8278aa9e76770816705fb442473845ca06
Opcode Fuzzy Hash: 6e7683af5cf78506dc22abcdf8d36c432c2541fefb965815218cfc9556eb125b
Instruction Fuzzy Hash: CF11BF71100108ABEF128F64DC84AAB3BEAEB05B78F524774F965933E0C731EC919760

Function 00B66C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

CharUpperBuffW.USER32(?,?,?), ref: 00B66CB6
_wcslen.LIBCMT ref: 00B66CC2

Strings

STOP, xrefs: 00B66CBC, 00B66CC1

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: eef9f1f7ccf6f3a5e774f908db652df2b49f13ac5498cc8750d1e22b46c4edac
Instruction ID: e0e54f2420e23d9b5ab8d2862451d33ded27a2ff1cfcdc3ecb56f836472951a1
Opcode Fuzzy Hash: eef9f1f7ccf6f3a5e774f908db652df2b49f13ac5498cc8750d1e22b46c4edac
Instruction Fuzzy Hash: 1D01D232A1092A8BCB20AFBDDC809BF77F5EF61750B1009B8E862971D1EB39D950C650

Function 00B61CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B61D4C

Strings

ComboBox, xrefs: 00B61CEB
ListBox, xrefs: 00B61D16

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b215c0bb14449426f738ca552576fa5f2d5f5bb603a0bcf0d188613b5ecf4a50
Instruction ID: 19639087500eb84351f510e0508ba13bc120cfa135397254b67bdb5433a9c7ac
Opcode Fuzzy Hash: b215c0bb14449426f738ca552576fa5f2d5f5bb603a0bcf0d188613b5ecf4a50
Instruction Fuzzy Hash: 9901D871601218ABCB14EFA4CD51DFE7BE8EB56390F0409A9F822673D2EA3459088760

Function 00B61BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B61C46

Strings

ComboBox, xrefs: 00B61BE5
ListBox, xrefs: 00B61C10

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b4fa36faaa31aec121bf17c7b1f212922c49ad4ba30985f4e40f5fe356f1dc95
Instruction ID: 89841a899be6ec34c134398b6ca184007fdf9cf00ca9b1ed9f3e7b70f3292eeb
Opcode Fuzzy Hash: b4fa36faaa31aec121bf17c7b1f212922c49ad4ba30985f4e40f5fe356f1dc95
Instruction Fuzzy Hash: AF01A775A8120866DB14EB94CA52EFF7BE8DB11340F140499F506672C2EA249E1896B1

Function 00B61C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B61CC8

Strings

ComboBox, xrefs: 00B61C69
ListBox, xrefs: 00B61C94

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0caa50b1aefda05547e0de731b02effc270cf77b41f7c92a96b2358af63d7f99
Instruction ID: d928989045ac0f1d0c13b9ab9b39b0b6c73de24aa54bb2778ea129320ee39e77
Opcode Fuzzy Hash: 0caa50b1aefda05547e0de731b02effc270cf77b41f7c92a96b2358af63d7f99
Instruction Fuzzy Hash: 7801D6B1A8121867DB14EBA4CA41EFF7BE8DB11380F180499B802772C2EA249F08D671

Function 00B61D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00B61DD3

Strings

ComboBox, xrefs: 00B61D75
ListBox, xrefs: 00B61DA0

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1fb4be989e09408c1552c2b4e588ae3b98f43725377223e15ad4b207b7c690ac
Instruction ID: b5135dcfde979729a0645e8b7ea45c6719c341292e2223dcf297ed9965976c9e
Opcode Fuzzy Hash: 1fb4be989e09408c1552c2b4e588ae3b98f43725377223e15ad4b207b7c690ac
Instruction Fuzzy Hash: 50F0A971E5131466D714E7A4CD91FFF7BE8EB01750F040D99F422632D2DA6459088260

Function 00B8747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B87493
_wcslen.LIBCMT ref: 00B874B9

Strings

3, 3, 16, 1, xrefs: 00B87483

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: afd3ee86d87bff172559f706f7236e5948404936b3c63f2a02bc87a554ae0f55
Instruction ID: 3376e0dea1f603818dbbeba7f3a0de288c97de30660e429d28724e08bd675ac2
Opcode Fuzzy Hash: afd3ee86d87bff172559f706f7236e5948404936b3c63f2a02bc87a554ae0f55
Instruction Fuzzy Hash: AEE02B022542301492313279ACC1A7F56C9CFC975073818ABF989C2376EFD4CDD2D3A0

Function 00B60B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B60B23

Strings

AutoIt, xrefs: 00B60B17
Error allocating memory., xrefs: 00B60B1C

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f03d7c86d42439f9adc0f4f3ddf660bf622045b795e0c2114a9d2a84ef177ca7
Instruction ID: 84a55d34e253f6601df21efdca0c1a74fd84f9b5b841f1006d73b83517c8e35a
Opcode Fuzzy Hash: f03d7c86d42439f9adc0f4f3ddf660bf622045b795e0c2114a9d2a84ef177ca7
Instruction Fuzzy Hash: 7FE0D83224831836D61437947C03FD97FC4CF05B10F1004FAFB48554D38AE1289046E9

Function 00B20D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B1F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B20D71,?,?,?,00B0100A), ref: 00B1F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00B0100A), ref: 00B20D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B0100A), ref: 00B20D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B20D7F

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 35d01e7f88c52a4329a354f7722c99aad35301c7be74160b86c2df6a464efd5c
Instruction ID: 91ab1b846ca10d81aecebd756d294ed7493a957fff800ecc3a8f47cde269128e
Opcode Fuzzy Hash: 35d01e7f88c52a4329a354f7722c99aad35301c7be74160b86c2df6a464efd5c
Instruction Fuzzy Hash: E0E06D702017128BD720AFBCE5043527BE0AB00790F0089BEE886C7652EBB0E4448B91

Function 00B73017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00B7302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00B73044

Strings

aut, xrefs: 00B73038

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 078ebda694547e00c86f67b957e8b7ff8bf3b7c911db48d4ef443e64d0102127
Instruction ID: d735e597d9db0c8e544fb9b06b9fa5dc399414affa284e76d8c624150d582004
Opcode Fuzzy Hash: 078ebda694547e00c86f67b957e8b7ff8bf3b7c911db48d4ef443e64d0102127
Instruction Fuzzy Hash: A5D05E7250032877DA20A7A4AD0EFCB3F6CDB04750F0002A2B655E30A1DEB09984CAE0

Function 00B5D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B5D220

Strings

%.3d, xrefs: 00B5D22B
X64, xrefs: 00B5D2A8

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: f612e15317e5b83bfc8acdd04b358b020d8d4a4495f110ea96a3ab2ce58ebc33
Instruction ID: 8ae50e1d728dc16deaa2c4525fc0ec3fa5e5dc22c45c7bfa77851b101c066688
Opcode Fuzzy Hash: f612e15317e5b83bfc8acdd04b358b020d8d4a4495f110ea96a3ab2ce58ebc33
Instruction Fuzzy Hash: ADD01271808109E9CB6097D0CCC9AFAB3FCEB48302F9085D6FC0692040D625D54DAF61

Function 00B92322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B9232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B9233F

Part of subcall function 00B6E97B: Sleep.KERNEL32 ref: 00B6E9F3

Strings

Shell_TrayWnd, xrefs: 00B92325

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 36059d4e19761744e014083d8198209ee28499000a910c9b12829bdf6230d488
Instruction ID: 441890e615e2f88460720860e5c2b94a993dc064fc234503fb3f1bf83f89dee8
Opcode Fuzzy Hash: 36059d4e19761744e014083d8198209ee28499000a910c9b12829bdf6230d488
Instruction Fuzzy Hash: C8D0C936394310B6E664A7709D0FFC66E64AF10B10F0149577655AB1E5C9B4A8018A54

Function 00B92356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B9236C
PostMessageW.USER32(00000000), ref: 00B92373

Part of subcall function 00B6E97B: Sleep.KERNEL32 ref: 00B6E9F3

Strings

Shell_TrayWnd, xrefs: 00B92365

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 421858349c4d8c6517c368fa373c836d4a44efc3b3066251da005c27ae8966fa
Instruction ID: 1346118a252d5900b3b8e60583bf4a8336cc5b5367ef44412ea09c7cdcfa112b
Opcode Fuzzy Hash: 421858349c4d8c6517c368fa373c836d4a44efc3b3066251da005c27ae8966fa
Instruction Fuzzy Hash: 82D0C9363813107AE664A7709D0FFC66A64AB14B10F4149577655AB1E5C9B4A8018A54

Function 00B3BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00B3BE93
GetLastError.KERNEL32 ref: 00B3BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B3BEFC

Memory Dump Source

Source File: 00000000.00000002.2213497312.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.2213422125.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213809610.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2213993884.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2214084112.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 5f0be15dc2534ecac4cc988ec5e051c7afe5dec8bbcfdf010d66d0e671e0be07
Instruction ID: ff5c947e30ec2ed95e916ebc7498aedebda956ddd477e32ce6abb37fa8b18005
Opcode Fuzzy Hash: 5f0be15dc2534ecac4cc988ec5e051c7afe5dec8bbcfdf010d66d0e671e0be07
Instruction Fuzzy Hash: F041D535604216AFCF218F68DC54EBA7BE5EF41310F3451EAFA599B1A9DB308D01CB60

Analysis Process: firefox.exePID: 7176, Parent PID: 6484COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000023C25C66377 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000023C25C6639C

Memory Dump Source

Source File: 00000012.00000002.3407166262.0000023C25C64000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000023C25C64000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_23c25c64000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a10a38f4afd427e97fdf239b8bc171b99ad3ba19659c2c00eb60168167a069fa
Instruction ID: cba9311c9aa849a47a690d512b9f8efac980c1cfe64605e77488712f9a4cc0b1
Opcode Fuzzy Hash: a10a38f4afd427e97fdf239b8bc171b99ad3ba19659c2c00eb60168167a069fa
Instruction Fuzzy Hash: 10A3E931614A488BDB2DDF28DC956AAB3D5FB99300F14422EDD47D3291EF34EB468B81

Function 0000023C25C415D4 Relevance: 1.1, Instructions: 1136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.3406263258.0000023C25C40000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000023C25C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_23c25c40000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f7139093fbf40d44ebfd74a2562aaa6276efc0e9553703f6ebb50142c3fe3c
Instruction ID: 1041e9c38ee6bfb8c97cec65efa351e01262f2aec7cabd277c895d3c1bd2d001
Opcode Fuzzy Hash: 73f7139093fbf40d44ebfd74a2562aaa6276efc0e9553703f6ebb50142c3fe3c
Instruction Fuzzy Hash: 78218E3150CB8C4FD746DF28C845B96BBE1FB6A310F1506ABE089C7296E674D9498782

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2426465204.000001FFB19D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2377073570.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2385531082.000001FFB68D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2371880878.000001FFBFF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2377073570.000001FFB68B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2385531082.000001FFB68BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2349545996.000001FFBC7C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387105705.000001FFB5598000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2371880878.000001FFBFF94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2424496786.000001FFB4BCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2424496786.000001FFB4BED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2371880878.000001FFBFF94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2377073570.000001FFB68C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2385531082.000001FFB68D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2349545996.000001FFBC7C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387105705.000001FFB5598000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2371880878.000001FFBFF94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3401454796.0000023C25B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3402948060.0000019B5940C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3401454796.0000023C25B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3402948060.0000019B5940C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3401454796.0000023C25B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3402948060.0000019B5940C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2438551386.000001FFB3B6F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2371880878.000001FFBFF4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2424496786.000001FFB4BCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2438551386.000001FFB3B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comG equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2438551386.000001FFB3B6F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2438020177.000001FFBF545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2371880878.000001FFBFF4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346576082.000001FFBFF4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2430726921.000001FFBFF78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2438551386.000001FFB3B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comLMEM equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2422873710.000001FFB57F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2424496786.000001FFB4BB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2378280962.000001FFB57F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: dualstack.reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:56843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:56842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.6:56922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:56921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:56918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:56930 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:56928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:56927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:56932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57047 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57051 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57050 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:57053 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 57055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57049
Source: unknown	Network traffic detected: HTTP traffic on port 57046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57053
Source: unknown	Network traffic detected: HTTP traffic on port 56921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 56858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57050
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56927
Source: unknown	Network traffic detected: HTTP traffic on port 56930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56840
Source: unknown	Network traffic detected: HTTP traffic on port 56842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56842
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56843
Source: unknown	Network traffic detected: HTTP traffic on port 56924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 57053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56932
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56857
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56858
Source: unknown	Network traffic detected: HTTP traffic on port 56918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56930
Source: unknown	Network traffic detected: HTTP traffic on port 56843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 56932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57048
Source: unknown	Network traffic detected: HTTP traffic on port 57049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57044
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_54e4d048-228c-4fbe-bc29-76ec44013f8d.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_54e4d048-228c-4fbe-bc29-76ec44013f8d.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre