Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542228
MD5:	92bcbe7b8698b2db8e7eef7fc3613811
SHA1:	b47fc106035c2452685167a62f605b52bfb899ab
SHA256:	8b7c5881fd312e6434eb0252f5ddbcb5970c70a36ceb7a8b13fba3c9a19feb37
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 92BCBE7B8698B2DB8E7EEF7FC3613811)

taskkill.exe (PID: 4720 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6668 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4508 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6544 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6352 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 2472 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3856 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 760 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1476 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {229489d4-826a-4f96-a71a-4be4e9eb3af8} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afb646cb10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7288 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4120 -prefMapHandle 4116 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b84a474f-afef-458f-8c5b-3129f3854e6d} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afc8a1c810 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7840 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3036 -prefMapHandle 3048 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1003c90-d201-4205-be3a-d720dcdb7632} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afd218f310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Code function: 0_2_00FFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FFEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FFED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FFED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00FFEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00FEAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01019576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01019576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a8617790-1
Source: file.exe, 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_16c4090a-6
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f9538409-e
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_68afee98-5

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000028D3EE19177 NtQuerySystemInformation,		17_2_0000028D3EE19177
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000028D3EE342F2 NtQuerySystemInformation,		17_2_0000028D3EE342F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00FED5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FE1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FEE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F88060	0_2_00F88060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF2046	0_2_00FF2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE8298	0_2_00FE8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBE4FF	0_2_00FBE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB676B	0_2_00FB676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01014873	0_2_01014873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8CAF0	0_2_00F8CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FACAA0	0_2_00FACAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9CC39	0_2_00F9CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB6DD9	0_2_00FB6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F891C0	0_2_00F891C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9B119	0_2_00F9B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1394	0_2_00FA1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1706	0_2_00FA1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA781B	0_2_00FA781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA19B0	0_2_00FA19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9997D	0_2_00F9997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F87920	0_2_00F87920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA7A4A	0_2_00FA7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA7CA7	0_2_00FA7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1C77	0_2_00FA1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB9EEE	0_2_00FB9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100BE44	0_2_0100BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1F32	0_2_00FA1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000028D3EE19177	17_2_0000028D3EE19177
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000028D3EE342F2	17_2_0000028D3EE342F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000028D3EE34A1C	17_2_0000028D3EE34A1C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000028D3EE34332	17_2_0000028D3EE34332

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F89CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F9F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FA0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@34/36@70/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF37B5 GetLastError,FormatMessageW,

0_2_00FF37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE10BF AdjustTokenPrivileges,CloseHandle,		0_2_00FE10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FE16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FF51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FED4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FED4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FF648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F842A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2239982380.000001AFD2168000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240854529.000001AFD20E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2240854529.000001AFD20E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2240854529.000001AFD20E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2240854529.000001AFD20E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2239982380.000001AFD21B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2240854529.000001AFD20E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2240854529.000001AFD20E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2240854529.000001AFD20E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2240854529.000001AFD20E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2240854529.000001AFD20E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {229489d4-826a-4f96-a71a-4be4e9eb3af8} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afb646cb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4120 -prefMapHandle 4116 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b84a474f-afef-458f-8c5b-3129f3854e6d} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afc8a1c810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3036 -prefMapHandle 3048 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1003c90-d201-4205-be3a-d720dcdb7632} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afd218f310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {229489d4-826a-4f96-a71a-4be4e9eb3af8} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afb646cb10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4120 -prefMapHandle 4116 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b84a474f-afef-458f-8c5b-3129f3854e6d} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afc8a1c810 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3036 -prefMapHandle 3048 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1003c90-d201-4205-be3a-d720dcdb7632} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afd218f310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2300892717.000001AFCA501000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000E.00000003.2293342581.000001AFC7EDE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293342581.000001AFC7EDE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2302610634.000001AFC5B4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbX source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2300227252.000001AFC5B4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdbUGP source: firefox.exe, 0000000E.00000003.2279623800.000001AFC5AEA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295170155.000001AFC5AEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2300892717.000001AFCA501000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000E.00000003.2293342581.000001AFC7EDE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2300227252.000001AFC5B4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2303624401.000001AFCA501000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2302610634.000001AFC5B4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2303624401.000001AFCA501000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000E.00000003.2279623800.000001AFC5AEA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295170155.000001AFC5AEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000E.00000003.2294128830.000001AFC7D4C000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F842DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA0A76 push ecx; ret

0_2_00FA0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F9F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01011C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01011C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97786

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000028D3EE19177 rdtsc

17_2_0000028D3EE19177

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FEDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBC2A2 FindFirstFileExW,	0_2_00FBC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF68EE FindFirstFileW,FindClose,	0_2_00FF68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FF698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FED076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FED3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FF9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FF979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FF9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FF5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F842DE

Source: firefox.exe, 00000011.00000002.3316008014.0000028D3F300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: firefox.exe, 00000012.00000002.3308025744.0000022B5B9CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: firefox.exe, 00000010.00000002.3310912791.000001C35B74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3316008014.0000028D3F300000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3307091515.0000028D3E9B1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3316006468.0000022B5BE00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3316357170.000001C35BA14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3316008014.0000028D3F300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: firefox.exe, 00000010.00000002.3317802893.000001C35BB00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000028D3EE19177 rdtsc

17_2_0000028D3EE19177

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FFEAA2 BlockInput,

0_2_00FFEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FB2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F842DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00FA4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00FE0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FB2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FA083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA09D5 SetUnhandledExceptionFilter,	0_2_00FA09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FA0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00FE1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FC2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEB226 SendInput,keybd_event,

0_2_00FEB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEE3B9 mouse_event,

0_2_00FEE3B9

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00FE0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FE1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2264151479.000001AFCA501000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA0698 cpuid

0_2_00FA0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FF8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDD27A GetUserNameW,

0_2_00FDD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FBB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00FBB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F842DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01001204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_01001204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01001806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01001806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
example.org	93.184.215.14	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.142	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2281574641.000001AFCE36B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3310345238.0000028D3EDC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311307595.0000022B5BD8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2242190083.000001AFCFF88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195032345.000001AFC6F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225144423.000001AFC6F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267433517.000001AFCFF88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193830188.000001AFC6E4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2184670100.000001AFCE558000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117102414.000001AFCE550000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213504437.000001AFCE558000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3311965562.000001C35B9C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3310345238.0000028D3EDE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3316525541.0000022B5BF05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3311307595.0000022B5BD8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2123183319.000001AFCE922000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127486683.000001AFCE949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269166810.000001AFCE94A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2118886006.000001AFCE775000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2138593033.000001AFC75BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275223051.000001AFCEA5E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2242190083.000001AFCFF74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267433517.000001AFCFF74000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2094841410.000001AFC5E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093895548.000001AFC6400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094399621.000001AFC5E3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094153100.000001AFC5E1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094629407.000001AFC5E60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2137668014.000001AFC7AF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2283828667.000001AFC8294000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2286002604.000001AFD207C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273810334.000001AFD2066000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2243734923.000001AFCE447000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2136857182.000001AFCEA6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2185146323.000001AFCEE79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2153530918.000001AFCEE79000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2093895548.000001AFC6400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094399621.000001AFC5E3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094153100.000001AFC5E1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2094629407.000001AFC5E60000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2273810334.000001AFD2066000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2136857182.000001AFCEAC2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2238548553.000001AFD223A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2216724893.000001AFC63DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2102867130.000001AFC63DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 00000012.00000002.3311307595.0000022B5BD0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2191480946.000001AFC6E97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190494688.000001AFC6E7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2267794577.000001AFCEA51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248881946.000001AFCEA51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2123183319.000001AFCE922000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127486683.000001AFCE949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269166810.000001AFCE94A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2273810334.000001AFD2066000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2288393526.000001AFCE638000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3310345238.0000028D3EDC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311307595.0000022B5BD8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2289341381.000001AFCC3B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281781834.000001AFCC3B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2190494688.000001AFC6E7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2217412215.000001AFC7949000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2286150073.000001AFD201B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291475905.000001AFC8781000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2293091816.000001AFC7EF0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2138472989.000001AFC7869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3311965562.000001C35B9C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3310345238.0000028D3EDE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3316525541.0000022B5BF05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3311965562.000001C35B9C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3310345238.0000028D3EDE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3316525541.0000022B5BF05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2238548553.000001AFD2232000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2269812823.000001AFCE4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3310345238.0000028D3ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311307595.0000022B5BD0C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2123183319.000001AFCE922000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127486683.000001AFCE949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269166810.000001AFCE94A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2118886006.000001AFCE775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2241234519.000001AFD1B98000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/CN=The	firefox.exe, 00000012.00000002.3311307595.0000022B5BD0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.3311965562.000001C35B972000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2243734923.000001AFCE447000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2281315616.000001AFCEA44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248881946.000001AFCEA43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267794577.000001AFCEA43000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2190494688.000001AFC6E7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2271816940.000001AFC9EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270085659.000001AFCE4B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243147381.000001AFCE4B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117102414.000001AFCE599000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272219938.000001AFC9E53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187184898.000001AFC6EEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260171367.000001AFC6ECF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270628793.000001AFCE482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217412215.000001AFC7949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244426822.000001AFC9EE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2205333067.000001AFC6974000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202488828.000001AFC7B19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2207116404.000001AFC6973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248460223.000001AFC7B9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226301448.000001AFC6EEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226301448.000001AFC6EC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290787370.000001AFC8BCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290787370.000001AFC8BF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2128289728.000001AFCE434000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2104780294.000001AFC6974000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213093183.000001AFCE59E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2242730051.000001AFCE4FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127652624.000001AFCE4FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2243232163.000001AFCE49F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127652624.000001AFCE49F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272595762.000001AFC9D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282535421.000001AFC9D94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250781742.000001AFC9D93000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2243232163.000001AFCE49F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127652624.000001AFCE49F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272595762.000001AFC9D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282535421.000001AFC9D94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250781742.000001AFC9D93000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2281315616.000001AFCEA44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248881946.000001AFCEA43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267794577.000001AFCEA43000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2184670100.000001AFCE558000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117102414.000001AFCE550000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213504437.000001AFCE558000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2280879076.000001AFCEA96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275223051.000001AFCEA95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248881946.000001AFCEA95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2126415722.000001AFCEA95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136857182.000001AFCEA95000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2136857182.000001AFCEA7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2255935579.000001AFC6265000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2190494688.000001AFC6E7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2293517816.000001AFC7EB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246439975.000001AFC7EB7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2124891360.000001AFC7FBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278119050.000001AFC7FBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245382791.000001AFC7FBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292568007.000001AFC7FBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284661591.000001AFC7FBF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2191480946.000001AFC6E97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190494688.000001AFC6E7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193830188.000001AFC6E4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2216724893.000001AFC63DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2102867130.000001AFC63DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255935579.000001AFC6265000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2273810334.000001AFD2066000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2269812823.000001AFCE4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127652624.000001AFCE4B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2123183319.000001AFCE922000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127486683.000001AFCE949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269166810.000001AFCE94A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2118886006.000001AFCE775000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2286093564.000001AFD2037000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252725884.000001AFC7EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293091816.000001AFC7EF0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2241234519.000001AFD1B98000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000E.00000003.2241234519.000001AFD1B98000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000E.00000003.2251935189.000001AFC8BCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217791307.000001AFCEE79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2185146323.000001AFCEE79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2153530918.000001AFCEE79000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.2243734923.000001AFCE447000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3311351112.000001C35B780000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3309292012.0000028D3EB90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3310706376.0000022B5BB80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
157.240.0.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542228
Start date and time:	2024-10-25 17:12:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@34/36@70/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 34.208.54.237, 44.231.229.39, 52.13.186.250, 142.250.186.106, 172.217.18.106, 142.250.185.238, 2.22.61.59, 2.22.61.56, 142.250.186.110
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, e16604.g.akamaiedge.net, safebrowsing.googleapis.com, prod.fs.microsoft.com.akadns.net, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:13:10	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
services.addons.mozilla.org	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
dyna.wikimedia.org	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
twitter.com	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Ffairwaygilbert.com%2Fnew%2FdtMyxOyre1WJ8xvj5DnN7kDa/Y2hyaXMuaGF3a2luc0BwZXJyeWhvbWVzLmNvbQ==	Get hash	malicious	Tycoon2FA	Browse	34.49.241.189
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	https://realestatemania.ca/kxyNao-7Ms6e-WBJnj-uMnVb-7gZJL-v8aOp.php	Get hash	malicious	Unknown	Browse	34.49.229.81
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	34.10.190.7
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	33.10.198.51
FASTLYUS	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Ffairwaygilbert.com%2Fnew%2FdtMyxOyre1WJ8xvj5DnN7kDa/Y2hyaXMuaGF3a2luc0BwZXJyeWhvbWVzLmNvbQ==	Get hash	malicious	Tycoon2FA	Browse	151.101.2.137
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	https://pub-535a4999ab4b4c1e81647bad9b888e40.r2.dev/onedrivefresh.html	Get hash	malicious	Unknown	Browse	151.101.194.137
	Purchase Order 10-25-2024.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.129.46
	ALVARA-072.msi	Get hash	malicious	AteraAgent	Browse	199.232.210.172
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse	151.101.129.108
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Ffairwaygilbert.com%2Fnew%2FdtMyxOyre1WJ8xvj5DnN7kDa/Y2hyaXMuaGF3a2luc0BwZXJyeWhvbWVzLmNvbQ==	Get hash	malicious	Tycoon2FA	Browse	34.49.241.189
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	https://realestatemania.ca/kxyNao-7Ms6e-WBJnj-uMnVb-7gZJL-v8aOp.php	Get hash	malicious	Unknown	Browse	34.49.229.81
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	34.10.190.7
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	33.10.198.51

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cd829015-d6a8-4cf4-b990-05013b599a5e.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181433583092525
Encrypted:	false
SSDEEP:	192:LKMXhyh8hncbhbVbTbfbRbObtbyEl7nor1JA6wnSrDtTkd/SJH:LPxUyncNhnzFSJIrwjnSrDhkd/sH
MD5:	A09E5F2325B457D0698C4FC0B1F4028C
SHA1:	C1DB568BC9AEBF431DCCB2637B3C262507451F0A
SHA-256:	02524F15F6568BBCC2AF3009452E25B852982CB1629F55BADFF6E2A647D618F6
SHA-512:	CB466F5D241553D153A356F89B49E4C3A46EFCE3ADB815B4119ED64FF97383D30AF1A33C37E8BAC749DE5C8A588E55D376080BA25E91166F0BE7333CC67EB791
Malicious:	false
Preview:	{"type":"uninstall","id":"cd829015-d6a8-4cf4-b990-05013b599a5e","creationDate":"2024-10-25T16:24:08.619Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cd829015-d6a8-4cf4-b990-05013b599a5e.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181433583092525
Encrypted:	false
SSDEEP:	192:LKMXhyh8hncbhbVbTbfbRbObtbyEl7nor1JA6wnSrDtTkd/SJH:LPxUyncNhnzFSJIrwjnSrDhkd/sH
MD5:	A09E5F2325B457D0698C4FC0B1F4028C
SHA1:	C1DB568BC9AEBF431DCCB2637B3C262507451F0A
SHA-256:	02524F15F6568BBCC2AF3009452E25B852982CB1629F55BADFF6E2A647D618F6
SHA-512:	CB466F5D241553D153A356F89B49E4C3A46EFCE3ADB815B4119ED64FF97383D30AF1A33C37E8BAC749DE5C8A588E55D376080BA25E91166F0BE7333CC67EB791
Malicious:	false
Preview:	{"type":"uninstall","id":"cd829015-d6a8-4cf4-b990-05013b599a5e","creationDate":"2024-10-25T16:24:08.619Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.921995313863402
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNdj9mYxE:8S+OVPUFRbOdwNIOdYpjvY1Q6LIjQY8P
MD5:	64840D8A89A1E91675B2F7289609DA6D
SHA1:	162D7DB810686B18191FB7673E7D5CA1AFB0F484
SHA-256:	C832D3D7FD4EE5F69DE207417590F644CB535B86E6087DA859142425F6F1B94D
SHA-512:	A4F7B776261D71CBE65274976028C7AFAF9B5DDC91D1C86C2CFA1B837330E54C33D420BE421BEFD699FFA1541CD58F0CA3A7E5370CCB4E04835513864CADE655
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.921995313863402
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNdj9mYxE:8S+OVPUFRbOdwNIOdYpjvY1Q6LIjQY8P
MD5:	64840D8A89A1E91675B2F7289609DA6D
SHA1:	162D7DB810686B18191FB7673E7D5CA1AFB0F484
SHA-256:	C832D3D7FD4EE5F69DE207417590F644CB535B86E6087DA859142425F6F1B94D
SHA-512:	A4F7B776261D71CBE65274976028C7AFAF9B5DDC91D1C86C2CFA1B837330E54C33D420BE421BEFD699FFA1541CD58F0CA3A7E5370CCB4E04835513864CADE655
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6071
Entropy (8bit):	6.61263436125208
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTaM:7Tx2x2t0FDJ4NF6ILDfzjtedh6TX
MD5:	FD36D36BC5077FC3D16CD68CC7FFC65A
SHA1:	2111D7339EA8F94FC7F4F8E2964ABDBE6198F90B
SHA-256:	3A65636ABBCBF9BC2447FEA1BCE9BFC0E6DACD10D5721D21D670A537FFF0D545
SHA-512:	074547A0C2D572BA22D27A4EC3A0957C27B72E732D0ED37501C30A9657CAD258584819D3A92215B52638888D9FC0682E871F454B0ECBFC75373CBAE38DA4D656
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6071
Entropy (8bit):	6.61263436125208
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTaM:7Tx2x2t0FDJ4NF6ILDfzjtedh6TX
MD5:	FD36D36BC5077FC3D16CD68CC7FFC65A
SHA1:	2111D7339EA8F94FC7F4F8E2964ABDBE6198F90B
SHA-256:	3A65636ABBCBF9BC2447FEA1BCE9BFC0E6DACD10D5721D21D670A537FFF0D545
SHA-512:	074547A0C2D572BA22D27A4EC3A0957C27B72E732D0ED37501C30A9657CAD258584819D3A92215B52638888D9FC0682E871F454B0ECBFC75373CBAE38DA4D656
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07331823752770965
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiK:DLhesh7Owd4+ji
MD5:	9B5B30E7A49109D74C1014D30605E7AF
SHA1:	0B5A18AADB8854A586DCBD1956C879AF15871104
SHA-256:	6B0D871BD22886C838F7F39FD9150DFA3D28C6FF4E2DFB380F15A278B64ED57F
SHA-512:	AFF317B7366534D144D656679C78ED9D71857DDDFCDBB8373FEC5FB874A860D546E9C9E0B3DCAD65E57D8AD714EFE9471B3B8078E84414813A565E4D54E5B47A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFvGJb0c7u/3lstFvGJb0c7htT89//alEl:GtWtwJb0c7uPWtwJb0c7n89XuM
MD5:	F8C98C76ABD221CD19AEEFE9F8912960
SHA1:	34C3F718DE30854D32042564081135903BA97652
SHA-256:	B89740089D3D1BCFAD9D8937B4709E60B212D096783B1FB273D36D2B50C376AE
SHA-512:	176A850CC8DD921BA2B3768881A99E9784C8760103ADA40C5C97F9BAA8738C7D8B8E46F33BD77038F3A9CAC9E02C05826AE6795C7B2122938967CA58347B29AA
Malicious:	false
Preview:	..-.....................8..2G.~....y...,:..4...-.....................8..2G.~....y...,:..4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03981332616593857
Encrypted:	false
SSDEEP:	3:Ol1yafIpYl2lfZO7kbZXvQa7l8rEXsxdwhml8XW3R2:KQaAWKnQwl8dMhm93w
MD5:	DD757B2D4560323287E54F510FCB2727
SHA1:	ABE983740391319869C0AF598C65C052B8416542
SHA-256:	D6FD83000C08CD44B15FB2F8C5315C80D51A0DD7BB4E6BF4C566A157C6808490
SHA-512:	B85B759B286BC7BB81046AD346DAD20FAAEFE60C4750C62DC7EC09B9B64C0F74518B52C7E2DDC3F4FFACAF4BDFA394766F8EDB52F107977EFF1022248EC097CB
Malicious:	false
Preview:	7....-..............y.....N.G-............y....8~.G2................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477172172047747
Encrypted:	false
SSDEEP:	192:wnPOeRnLYbBp6QJ0aX+e6SEXKhyNIbO5RHWNBw8dZSl:qDeJJUFkeICHEwS0
MD5:	271A0DC16A1771455B0C3750993268FD
SHA1:	24484EF91A84682016DC8FBEC7563FF2D6AF8025
SHA-256:	15B47BB971F885B5233A226F6CC5629225091F239A55016F51B42910D4D6EFA3
SHA-512:	9EA8FADAE28DCA392106512DA278639220C4E20AD2817190B82A0B049CAE4D84DD4D4AD1499A6487D235D452B36D60F5A24F266E7EABD9AF69FCA0C19342DF17
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729873418);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729873418);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729873418);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172987

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477172172047747
Encrypted:	false
SSDEEP:	192:wnPOeRnLYbBp6QJ0aX+e6SEXKhyNIbO5RHWNBw8dZSl:qDeJJUFkeICHEwS0
MD5:	271A0DC16A1771455B0C3750993268FD
SHA1:	24484EF91A84682016DC8FBEC7563FF2D6AF8025
SHA-256:	15B47BB971F885B5233A226F6CC5629225091F239A55016F51B42910D4D6EFA3
SHA-512:	9EA8FADAE28DCA392106512DA278639220C4E20AD2817190B82A0B049CAE4D84DD4D4AD1499A6487D235D452B36D60F5A24F266E7EABD9AF69FCA0C19342DF17
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729873418);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729873418);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729873418);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172987

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\cc98356d-39fa-47c0-a475-b7bbc1c84801 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.967605301690706
Encrypted:	false
SSDEEP:	12:YZFg2KIJjVIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YBKInSlCOlZGV1AQIWZcy6ZXvx
MD5:	4405C19E8B28AB2831BEE016C053F588
SHA1:	217F2AE4EE8173BF39BDE5D0B2AFFD93263DFFDA
SHA-256:	4973031623A68082FB365578A49619BFE61F0BD3DE3F9FFB2D68B7C06FF786CF
SHA-512:	B9C49C5A98800E2842EA94BC46372D099171640008F1ACDB67A8F986970D1A61796EAEF03E9A2CFCB24B103BEE35FA26EB19FA58CDA1BB7BB9B01B2A645F3F90
Malicious:	false
Preview:	{"type":"health","id":"cc98356d-39fa-47c0-a475-b7bbc1c84801","creationDate":"2024-10-25T16:24:09.257Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\cc98356d-39fa-47c0-a475-b7bbc1c84801.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.967605301690706
Encrypted:	false
SSDEEP:	12:YZFg2KIJjVIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YBKInSlCOlZGV1AQIWZcy6ZXvx
MD5:	4405C19E8B28AB2831BEE016C053F588
SHA1:	217F2AE4EE8173BF39BDE5D0B2AFFD93263DFFDA
SHA-256:	4973031623A68082FB365578A49619BFE61F0BD3DE3F9FFB2D68B7C06FF786CF
SHA-512:	B9C49C5A98800E2842EA94BC46372D099171640008F1ACDB67A8F986970D1A61796EAEF03E9A2CFCB24B103BEE35FA26EB19FA58CDA1BB7BB9B01B2A645F3F90
Malicious:	false
Preview:	{"type":"health","id":"cc98356d-39fa-47c0-a475-b7bbc1c84801","creationDate":"2024-10-25T16:24:09.257Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5761 bytes
Category:	dropped
Size (bytes):	1528
Entropy (8bit):	6.329780581360792
Encrypted:	false
SSDEEP:	24:vHSUG6xaOLXrIrkjpnQRUzT5sCIdmgyPJHVpj/4FDhuj7O2c0TiVm0BtJqQ:fpvnzp8UZfZgQrj/407c3zBtH
MD5:	9D4251CF5FE3C26056F694290DEEBF6B
SHA1:	AE817DE4B293362EA4B020DE6EEC79DFCC724814
SHA-256:	5178A3636B8FEBB93B0F1290759182F0F9DFBD3409A078F54CF55190367A6289
SHA-512:	AFDCC31D9175663973BF3B3CEF815EAB3475FFD2DD9C629C987D323FE07EDB699A732AAB2E27902822707CB73DC1AC5D2F369A7025B61B85F0B798B68116C3AD
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://www.facebook.com/video","title)....cacheKey":0,"ID":7,"docshellUU...D"{2b5d27a7-70d6-4c61-a927-2f1bfa9b31e2}","resultPrincipalURI":null,"hasUserInteract....true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729873423650,"hidden":false,"searchMode...userContextId...attribut\|..{},"index":1...questedI..p0,"imags...chrome://global/skin/icons/warning.svg"..aselect...,"_closedT..@],"_...C....GroupCount":-1,"busy...t...Flags":2150633470P...dth":1164,"height":891,"screenX":4...Y..Aizem..."maximized"...BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...W...l...........:..<.1":{..jUpdate.....vtartTim..`388158...centCrash..B0},".....Dcookr. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2....Donly..eexpiry....398005,"originA...."firstPartyDomain":"","geckoViewS.....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5761 bytes
Category:	dropped
Size (bytes):	1528
Entropy (8bit):	6.329780581360792
Encrypted:	false
SSDEEP:	24:vHSUG6xaOLXrIrkjpnQRUzT5sCIdmgyPJHVpj/4FDhuj7O2c0TiVm0BtJqQ:fpvnzp8UZfZgQrj/407c3zBtH
MD5:	9D4251CF5FE3C26056F694290DEEBF6B
SHA1:	AE817DE4B293362EA4B020DE6EEC79DFCC724814
SHA-256:	5178A3636B8FEBB93B0F1290759182F0F9DFBD3409A078F54CF55190367A6289
SHA-512:	AFDCC31D9175663973BF3B3CEF815EAB3475FFD2DD9C629C987D323FE07EDB699A732AAB2E27902822707CB73DC1AC5D2F369A7025B61B85F0B798B68116C3AD
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://www.facebook.com/video","title)....cacheKey":0,"ID":7,"docshellUU...D"{2b5d27a7-70d6-4c61-a927-2f1bfa9b31e2}","resultPrincipalURI":null,"hasUserInteract....true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729873423650,"hidden":false,"searchMode...userContextId...attribut\|..{},"index":1...questedI..p0,"imags...chrome://global/skin/icons/warning.svg"..aselect...,"_closedT..@],"_...C....GroupCount":-1,"busy...t...Flags":2150633470P...dth":1164,"height":891,"screenX":4...Y..Aizem..."maximized"...BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...W...l...........:..<.1":{..jUpdate.....vtartTim..`388158...centCrash..B0},".....Dcookr. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2....Donly..eexpiry....398005,"originA...."firstPartyDomain":"","geckoViewS.....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5761 bytes
Category:	dropped
Size (bytes):	1528
Entropy (8bit):	6.329780581360792
Encrypted:	false
SSDEEP:	24:vHSUG6xaOLXrIrkjpnQRUzT5sCIdmgyPJHVpj/4FDhuj7O2c0TiVm0BtJqQ:fpvnzp8UZfZgQrj/407c3zBtH
MD5:	9D4251CF5FE3C26056F694290DEEBF6B
SHA1:	AE817DE4B293362EA4B020DE6EEC79DFCC724814
SHA-256:	5178A3636B8FEBB93B0F1290759182F0F9DFBD3409A078F54CF55190367A6289
SHA-512:	AFDCC31D9175663973BF3B3CEF815EAB3475FFD2DD9C629C987D323FE07EDB699A732AAB2E27902822707CB73DC1AC5D2F369A7025B61B85F0B798B68116C3AD
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://www.facebook.com/video","title)....cacheKey":0,"ID":7,"docshellUU...D"{2b5d27a7-70d6-4c61-a927-2f1bfa9b31e2}","resultPrincipalURI":null,"hasUserInteract....true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729873423650,"hidden":false,"searchMode...userContextId...attribut\|..{},"index":1...questedI..p0,"imags...chrome://global/skin/icons/warning.svg"..aselect...,"_closedT..@],"_...C....GroupCount":-1,"busy...t...Flags":2150633470P...dth":1164,"height":891,"screenX":4...Y..Aizem..."maximized"...BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...W...l...........:..<.1":{..jUpdate.....vtartTim..`388158...centCrash..B0},".....Dcookr. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2....Donly..eexpiry....398005,"originA...."firstPartyDomain":"","geckoViewS.....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030468212458154
Encrypted:	false
SSDEEP:	96:ychMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:ETEr5NX0z3DhRe
MD5:	2A1298105F0DBEC46C0D33DE05AD2E7C
SHA1:	11D4BFECF17D94FFA6D57F1ADBED64E1D3614A1F
SHA-256:	D5723E7736682795A05FDFA735E726771FA51FB7529C6A866A9F1C850D507945
SHA-512:	B1872ED703CBE32E6F78FC0E1D078C11620935206CF3BC7DC1654C7CB02A5E0F2A8BBB53E5F0FC68F5F22276550C2BA71B3E58B953B53D32F83923FD7CDB25AE
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T16:23:26.996Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030468212458154
Encrypted:	false
SSDEEP:	96:ychMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:ETEr5NX0z3DhRe
MD5:	2A1298105F0DBEC46C0D33DE05AD2E7C
SHA1:	11D4BFECF17D94FFA6D57F1ADBED64E1D3614A1F
SHA-256:	D5723E7736682795A05FDFA735E726771FA51FB7529C6A866A9F1C850D507945
SHA-512:	B1872ED703CBE32E6F78FC0E1D078C11620935206CF3BC7DC1654C7CB02A5E0F2A8BBB53E5F0FC68F5F22276550C2BA71B3E58B953B53D32F83923FD7CDB25AE
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T16:23:26.996Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5837442262243435
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'040 bytes
MD5:	92bcbe7b8698b2db8e7eef7fc3613811
SHA1:	b47fc106035c2452685167a62f605b52bfb899ab
SHA256:	8b7c5881fd312e6434eb0252f5ddbcb5970c70a36ceb7a8b13fba3c9a19feb37
SHA512:	43bd8b18f776bc3fcb8da393727a6250d5f96097966f8805dbf3fc4dc96208f080304c93aba19e47e096bd3e2598ba7c920d8f4a93ea9778d6ead631bdd9c268
SSDEEP:	12288:UqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgagTE:UqDEvCTbMWu7rQYlBQcBiT6rprG8a4E
TLSH:	83159E0273D1C062FF9B92334B5AF6515BBC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671BB13A [Fri Oct 25 14:54:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB688D553B3h
jmp 00007FB688D54CBFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB688D54E9Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB688D54E6Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB688D57A5Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB688D57AA8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB688D57A91h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9bf4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9bf4	0x9c00	a4c36bf0b338b8b161914d28ac21ea60	False	0.31823417467948717	data	5.330505108792338	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xebc	data			1.002916224814422
RT_GROUP_ICON	0xdd674	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd6ec	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd700	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd714	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd728	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd804	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 17:13:02.952229977 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:02.952275038 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:02.952351093 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:02.956268072 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:02.956283092 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:03.573237896 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:03.573424101 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:03.612421036 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:03.612442017 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:03.612492085 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:03.613147974 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:03.613326073 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:03.854712009 CEST	49711	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:03.854757071 CEST	443	49711	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:03.854885101 CEST	49711	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:03.856462002 CEST	49711	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:03.856482029 CEST	443	49711	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:03.867465019 CEST	49712	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:03.867537975 CEST	443	49712	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:03.875150919 CEST	49712	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:03.891397953 CEST	49712	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:03.891432047 CEST	443	49712	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:03.891825914 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:03.897655964 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:03.900535107 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:03.900682926 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:03.908575058 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:04.281832933 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.281882048 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.298948050 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.299035072 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.303025961 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.303138971 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.304773092 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.304788113 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.306158066 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.306197882 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.344863892 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:04.344891071 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:04.345201015 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:04.345320940 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:04.345331907 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:04.519865990 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:04.579628944 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:04.707437992 CEST	443	49711	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:04.707597017 CEST	49711	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:04.733124971 CEST	443	49712	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:04.733139038 CEST	443	49712	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:04.733326912 CEST	49712	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:04.938302994 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.938337088 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.938541889 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.939335108 CEST	49711	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:04.939373016 CEST	443	49711	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:04.939421892 CEST	49711	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:04.939873934 CEST	443	49711	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:04.941935062 CEST	49712	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:04.942006111 CEST	443	49712	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:04.942033052 CEST	49712	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:04.942173958 CEST	443	49712	157.240.0.35	192.168.2.5
Oct 25, 2024 17:13:04.945157051 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.945177078 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.946269035 CEST	49711	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:04.946293116 CEST	49712	443	192.168.2.5	157.240.0.35
Oct 25, 2024 17:13:04.953192949 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.953200102 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.953300953 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.953361988 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.953892946 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.953907013 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.953984976 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.954097986 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:04.954137087 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.954571962 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:04.960005999 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:04.960088015 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:05.182240009 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:05.182276011 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:05.182630062 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:05.186219931 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:05.186297894 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:05.186408997 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:05.191833019 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:05.192584038 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:05.197659969 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:05.199197054 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:05.299616098 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:05.305047989 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:05.305121899 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:05.305258036 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:05.310587883 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:05.371577978 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:05.371609926 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:05.372936010 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:05.378427982 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:05.384105921 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:05.384293079 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:05.385719061 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:05.385740042 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:05.385864973 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:05.387015104 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 25, 2024 17:13:05.387098074 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 25, 2024 17:13:05.391268015 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:05.391763926 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 25, 2024 17:13:05.391922951 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 25, 2024 17:13:05.391943932 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 25, 2024 17:13:05.910876036 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:05.970134974 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:06.009380102 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 25, 2024 17:13:06.009468079 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 25, 2024 17:13:06.009989023 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:06.010015011 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:06.010296106 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:06.012861967 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 25, 2024 17:13:06.012871027 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 25, 2024 17:13:06.013189077 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 25, 2024 17:13:06.018708944 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 25, 2024 17:13:06.018800020 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 25, 2024 17:13:06.018896103 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 25, 2024 17:13:06.019654036 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:06.019664049 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:06.019736052 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:06.019789934 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 25, 2024 17:13:06.020231962 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 17:13:06.020334005 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 17:13:06.030116081 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:06.070430040 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:06.484805107 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:06.491144896 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:06.512530088 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:06.518039942 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:06.613023996 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:06.644578934 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:06.672158957 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:06.687844038 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:10.969381094 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:10.974658966 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:11.095942974 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:11.141454935 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:15.626497030 CEST	49735	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:15.626569986 CEST	443	49735	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:15.639938116 CEST	49735	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:15.641544104 CEST	49735	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:15.641571999 CEST	443	49735	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:15.645659924 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:15.645750999 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:15.646436930 CEST	49737	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:15.646523952 CEST	443	49737	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:15.647013903 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:15.647054911 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:15.647109032 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:15.647113085 CEST	49737	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:15.648435116 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:15.648475885 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:15.648521900 CEST	49737	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:15.648536921 CEST	443	49737	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:15.648633957 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:15.649931908 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:15.649945974 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:15.793469906 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:15.798842907 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:15.926065922 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:15.994160891 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:16.141870022 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:16.147228003 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:16.259697914 CEST	443	49735	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:16.259708881 CEST	443	49735	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:16.259778976 CEST	49735	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:16.260031939 CEST	443	49737	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:16.260092020 CEST	49737	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:16.268589020 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:16.268665075 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:16.269768953 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:16.288759947 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:16.288948059 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:16.310652971 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:17.000025034 CEST	49737	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:17.000051975 CEST	443	49737	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:17.000412941 CEST	443	49737	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:17.009751081 CEST	49735	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:17.009804964 CEST	443	49735	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:17.009944916 CEST	49735	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:17.010123014 CEST	443	49735	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:17.010394096 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:17.010409117 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:17.010494947 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:17.010525942 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:17.010579109 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:17.010643959 CEST	49737	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:17.010660887 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:17.010734081 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:17.010842085 CEST	443	49737	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:17.010854006 CEST	49737	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:17.010863066 CEST	443	49737	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:17.010869980 CEST	443	49736	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:17.011105061 CEST	49735	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:17.011140108 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:17.011174917 CEST	49736	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:17.011925936 CEST	49750	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:17.011955976 CEST	443	49750	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:17.012214899 CEST	49750	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:17.013741970 CEST	49750	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:17.013751030 CEST	443	49750	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:17.219331980 CEST	443	49737	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:17.220490932 CEST	49737	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:17.690934896 CEST	443	49750	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:17.691009998 CEST	49750	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:17.695878983 CEST	49750	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:17.695890903 CEST	443	49750	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:17.695970058 CEST	49750	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:17.696074963 CEST	443	49750	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:17.696218967 CEST	49750	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:17.779637098 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:17.841938972 CEST	49752	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:17.841965914 CEST	443	49752	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:17.843398094 CEST	49752	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:17.843627930 CEST	49752	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:17.843657017 CEST	443	49752	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.000010014 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:18.132658958 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:18.132699013 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:18.137700081 CEST	49753	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.137722015 CEST	443	49753	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.137934923 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.137974024 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.143161058 CEST	49753	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.143198013 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.144675970 CEST	49753	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.144689083 CEST	443	49753	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.144921064 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.144956112 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.258013964 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:18.300874949 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:18.591012955 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:18.596867085 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:18.718311071 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:18.727679014 CEST	443	49752	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.727782965 CEST	49752	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.730570078 CEST	49752	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.730600119 CEST	443	49752	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.730874062 CEST	443	49752	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.732726097 CEST	49752	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.732831955 CEST	49752	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.732934952 CEST	443	49752	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.733643055 CEST	49752	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.764543056 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:18.787813902 CEST	443	49753	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.787903070 CEST	49753	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.789351940 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.789443016 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.807585955 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.807615995 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.807838917 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.811088085 CEST	49753	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.811106920 CEST	443	49753	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.811178923 CEST	49753	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.811691046 CEST	443	49753	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.811774015 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.811856031 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.811933041 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.813174009 CEST	49753	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.813201904 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.815440893 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:18.819720984 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.819760084 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:18.820549011 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.820804119 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:18.821911097 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:18.821929932 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:19.138343096 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:19.181328058 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:19.183150053 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:19.183203936 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:19.430039883 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:19.430113077 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:19.472784042 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:19.472796917 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:19.472862005 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:19.473026991 CEST	443	49760	34.120.208.123	192.168.2.5
Oct 25, 2024 17:13:19.473145008 CEST	49760	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:13:20.234596968 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:20.240195990 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:20.323265076 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:20.328660965 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:20.361449957 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:20.406943083 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:20.455449104 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:20.507221937 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:21.806503057 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:21.812041044 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:21.934266090 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:21.989440918 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:22.829417944 CEST	49781	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:22.829513073 CEST	443	49781	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:22.829758883 CEST	49781	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:22.831233978 CEST	49781	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:22.831269979 CEST	443	49781	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:23.443763018 CEST	443	49781	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:23.444019079 CEST	49781	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:23.448288918 CEST	49781	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:23.448343039 CEST	443	49781	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:23.448400021 CEST	49781	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:23.448960066 CEST	443	49781	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:23.449254036 CEST	49781	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:23.451695919 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:23.457127094 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:23.685514927 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:23.688735962 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:23.694088936 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:23.728919983 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:23.815396070 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:23.863684893 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:31.648808002 CEST	57997	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:31.648842096 CEST	443	57997	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:31.651787043 CEST	57997	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:31.651873112 CEST	57997	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:31.651880980 CEST	443	57997	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:31.675688028 CEST	57998	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:31.675770044 CEST	443	57998	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:31.679373026 CEST	57999	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:31.679454088 CEST	443	57999	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:31.686629057 CEST	57998	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:31.686630011 CEST	57999	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:31.686630011 CEST	57998	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:31.686768055 CEST	443	57998	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:31.687896967 CEST	57999	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:31.687932968 CEST	443	57999	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:31.925092936 CEST	58000	443	192.168.2.5	151.101.129.91
Oct 25, 2024 17:13:31.925121069 CEST	443	58000	151.101.129.91	192.168.2.5
Oct 25, 2024 17:13:31.925374985 CEST	58000	443	192.168.2.5	151.101.129.91
Oct 25, 2024 17:13:31.925473928 CEST	58000	443	192.168.2.5	151.101.129.91
Oct 25, 2024 17:13:31.925484896 CEST	443	58000	151.101.129.91	192.168.2.5
Oct 25, 2024 17:13:31.926632881 CEST	58001	443	192.168.2.5	35.201.103.21
Oct 25, 2024 17:13:31.926677942 CEST	443	58001	35.201.103.21	192.168.2.5
Oct 25, 2024 17:13:31.927108049 CEST	58001	443	192.168.2.5	35.201.103.21
Oct 25, 2024 17:13:31.928406000 CEST	58001	443	192.168.2.5	35.201.103.21
Oct 25, 2024 17:13:31.928428888 CEST	443	58001	35.201.103.21	192.168.2.5
Oct 25, 2024 17:13:32.534831047 CEST	443	57997	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.534924984 CEST	57997	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.537262917 CEST	443	58000	151.101.129.91	192.168.2.5
Oct 25, 2024 17:13:32.537318945 CEST	58000	443	192.168.2.5	151.101.129.91
Oct 25, 2024 17:13:32.537668943 CEST	443	57999	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:32.537698984 CEST	443	57999	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:32.537755013 CEST	57999	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:32.538192987 CEST	443	57998	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:32.538212061 CEST	443	57998	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:32.538254976 CEST	57998	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:32.538268089 CEST	57997	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.538275957 CEST	443	57997	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.538503885 CEST	443	57997	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.541166067 CEST	57998	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:32.541208982 CEST	443	57998	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:32.541559935 CEST	443	57998	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:32.545512915 CEST	58000	443	192.168.2.5	151.101.129.91
Oct 25, 2024 17:13:32.545522928 CEST	443	58000	151.101.129.91	192.168.2.5
Oct 25, 2024 17:13:32.545727015 CEST	443	58000	151.101.129.91	192.168.2.5
Oct 25, 2024 17:13:32.547238111 CEST	443	58001	35.201.103.21	192.168.2.5
Oct 25, 2024 17:13:32.547399998 CEST	58001	443	192.168.2.5	35.201.103.21
Oct 25, 2024 17:13:32.551369905 CEST	57997	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.551559925 CEST	443	57997	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.551623106 CEST	57997	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.551628113 CEST	443	57997	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.551731110 CEST	57998	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:32.551945925 CEST	443	57998	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:32.552544117 CEST	57998	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:32.552577019 CEST	443	57998	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:32.552653074 CEST	57999	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:32.552668095 CEST	443	57999	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:32.552711964 CEST	57999	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:32.552817106 CEST	443	57999	35.190.72.216	192.168.2.5
Oct 25, 2024 17:13:32.553364038 CEST	58000	443	192.168.2.5	151.101.129.91
Oct 25, 2024 17:13:32.553416967 CEST	58000	443	192.168.2.5	151.101.129.91
Oct 25, 2024 17:13:32.553493023 CEST	443	58000	151.101.129.91	192.168.2.5
Oct 25, 2024 17:13:32.556624889 CEST	58001	443	192.168.2.5	35.201.103.21
Oct 25, 2024 17:13:32.556680918 CEST	443	58001	35.201.103.21	192.168.2.5
Oct 25, 2024 17:13:32.556710005 CEST	58001	443	192.168.2.5	35.201.103.21
Oct 25, 2024 17:13:32.556819916 CEST	443	58001	35.201.103.21	192.168.2.5
Oct 25, 2024 17:13:32.557851076 CEST	57999	443	192.168.2.5	35.190.72.216
Oct 25, 2024 17:13:32.557863951 CEST	58000	443	192.168.2.5	151.101.129.91
Oct 25, 2024 17:13:32.557871103 CEST	58001	443	192.168.2.5	35.201.103.21
Oct 25, 2024 17:13:32.560260057 CEST	57997	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.561930895 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:32.563565969 CEST	58007	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.563651085 CEST	443	58007	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.564560890 CEST	58007	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.564661980 CEST	58007	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.564698935 CEST	443	58007	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.566613913 CEST	58008	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.566690922 CEST	443	58008	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.566947937 CEST	58008	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.567080975 CEST	58008	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.567111969 CEST	443	58008	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.567393064 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:32.568939924 CEST	58009	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.569022894 CEST	443	58009	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.572288036 CEST	58009	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.572393894 CEST	58009	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:32.572428942 CEST	443	58009	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:32.576792002 CEST	58010	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:32.576828003 CEST	443	58010	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:32.576941967 CEST	58010	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:32.577013969 CEST	58010	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:32.577030897 CEST	443	58010	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:32.694092035 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:32.696908951 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:32.702605009 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:32.742777109 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:32.767343998 CEST	443	57998	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:32.767420053 CEST	57998	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:32.824297905 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:32.874313116 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:33.166667938 CEST	443	58008	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.166770935 CEST	58008	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.169591904 CEST	58008	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.169646025 CEST	443	58008	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.170362949 CEST	443	58008	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.171572924 CEST	443	58007	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.171952963 CEST	58007	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.174369097 CEST	58007	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.174460888 CEST	443	58007	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.174808025 CEST	443	58007	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.174873114 CEST	58008	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.174964905 CEST	58008	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.175152063 CEST	443	58008	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.178324938 CEST	58007	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.178324938 CEST	58007	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.178553104 CEST	443	58007	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.180879116 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:33.184622049 CEST	58008	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.184662104 CEST	58007	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.186279058 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:33.186994076 CEST	443	58010	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:33.187108040 CEST	58010	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:33.190789938 CEST	58010	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:33.190799952 CEST	443	58010	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:33.191121101 CEST	443	58010	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:33.194571972 CEST	58010	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:33.194677114 CEST	58010	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:33.194741011 CEST	443	58010	34.149.100.209	192.168.2.5
Oct 25, 2024 17:13:33.195578098 CEST	58010	443	192.168.2.5	34.149.100.209
Oct 25, 2024 17:13:33.211478949 CEST	443	58009	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.211585999 CEST	58009	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.214890957 CEST	58009	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.214922905 CEST	443	58009	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.215167999 CEST	443	58009	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.218306065 CEST	58009	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.218384027 CEST	58009	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.218499899 CEST	443	58009	35.244.181.201	192.168.2.5
Oct 25, 2024 17:13:33.218780994 CEST	58009	443	192.168.2.5	35.244.181.201
Oct 25, 2024 17:13:33.314054966 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:33.332464933 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:33.337737083 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:33.362965107 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:33.459131002 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:33.507309914 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:33.706553936 CEST	58018	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:33.706599951 CEST	443	58018	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:33.707005024 CEST	58018	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:33.708693027 CEST	58018	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:33.708714962 CEST	443	58018	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:34.326637030 CEST	443	58018	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:34.326798916 CEST	58018	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:34.330096006 CEST	58018	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:34.330112934 CEST	443	58018	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:34.330174923 CEST	58018	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:34.330303907 CEST	443	58018	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:34.332554102 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:34.332693100 CEST	58018	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:34.338283062 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:34.464890003 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:34.467691898 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:34.474309921 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:34.525837898 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:34.840133905 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:34.843152046 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:34.844028950 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:44.476089001 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:44.481529951 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:44.855007887 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:44.860496998 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:54.346307039 CEST	58129	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:54.346328974 CEST	443	58129	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:54.346561909 CEST	58129	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:54.348530054 CEST	58129	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:54.348546982 CEST	443	58129	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:54.482402086 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:54.488508940 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:54.867981911 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:54.874344110 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:54.987833977 CEST	443	58129	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:54.987940073 CEST	58129	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:54.993918896 CEST	58129	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:54.993926048 CEST	443	58129	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:54.994010925 CEST	58129	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:54.994162083 CEST	443	58129	34.107.243.93	192.168.2.5
Oct 25, 2024 17:13:54.995038986 CEST	58129	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:13:54.997020960 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:55.003371954 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:55.129920006 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:55.132922888 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:55.138431072 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:55.184545040 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:13:55.260446072 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:13:55.307037115 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:01.846795082 CEST	58166	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:01.846837044 CEST	443	58166	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:01.850080967 CEST	58166	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:01.850357056 CEST	58166	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:01.850400925 CEST	443	58166	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:01.853236914 CEST	58167	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:01.853281021 CEST	443	58167	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:01.857268095 CEST	58167	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:01.857986927 CEST	58167	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:01.858006954 CEST	443	58167	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.467432022 CEST	443	58166	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.468332052 CEST	58166	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.471291065 CEST	58166	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.471343994 CEST	443	58166	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.471606970 CEST	443	58166	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.472286940 CEST	443	58167	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.473875046 CEST	58166	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.473969936 CEST	58166	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.474050999 CEST	443	58166	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.474112034 CEST	58166	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.474113941 CEST	58167	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.474617958 CEST	58166	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.477164030 CEST	58167	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.477171898 CEST	443	58167	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.477453947 CEST	443	58167	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.479847908 CEST	58167	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.479940891 CEST	58167	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.480027914 CEST	443	58167	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.480077028 CEST	58167	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.520612955 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:02.522296906 CEST	58173	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.522349119 CEST	443	58173	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.523268938 CEST	58173	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.523415089 CEST	58173	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.523423910 CEST	443	58173	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.526097059 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:02.549329996 CEST	58174	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.549371958 CEST	443	58174	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.550060987 CEST	58174	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.550195932 CEST	58174	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.550211906 CEST	443	58174	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.575784922 CEST	58175	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.575830936 CEST	443	58175	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.576257944 CEST	58175	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.576390028 CEST	58175	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:02.576412916 CEST	443	58175	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:02.655073881 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:02.680039883 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:02.685761929 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:02.706558943 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:02.807991982 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:02.860250950 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:03.165921926 CEST	443	58173	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.165996075 CEST	58173	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.166806936 CEST	443	58174	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.168915987 CEST	58173	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.168926001 CEST	443	58173	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.169153929 CEST	443	58173	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.169336081 CEST	58174	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.171541929 CEST	58174	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.171555042 CEST	443	58174	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.171817064 CEST	443	58174	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.173851013 CEST	58173	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.173953056 CEST	58173	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.173978090 CEST	443	58173	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.174880981 CEST	58174	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.174999952 CEST	58174	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.175096989 CEST	443	58174	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.176716089 CEST	58173	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.176737070 CEST	58174	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.178379059 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:03.183864117 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:03.200150967 CEST	443	58175	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.200217962 CEST	58175	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.202964067 CEST	58175	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.202970028 CEST	443	58175	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.203195095 CEST	443	58175	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.205396891 CEST	58175	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.205493927 CEST	58175	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.205512047 CEST	443	58175	34.120.208.123	192.168.2.5
Oct 25, 2024 17:14:03.205781937 CEST	58175	443	192.168.2.5	34.120.208.123
Oct 25, 2024 17:14:03.310765982 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:03.315665960 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:03.321382999 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:03.361648083 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:03.443264961 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:03.493171930 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:13.321150064 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:13.326793909 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:13.459250927 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:13.605395079 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:23.333776951 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:23.339612007 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:23.619159937 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:23.624718904 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:33.347085953 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:33.352467060 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:33.632689953 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:33.638209105 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:35.032936096 CEST	58193	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:14:35.032962084 CEST	443	58193	34.107.243.93	192.168.2.5
Oct 25, 2024 17:14:35.033041954 CEST	58193	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:14:35.034598112 CEST	58193	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:14:35.034614086 CEST	443	58193	34.107.243.93	192.168.2.5
Oct 25, 2024 17:14:35.689074993 CEST	443	58193	34.107.243.93	192.168.2.5
Oct 25, 2024 17:14:35.689177990 CEST	58193	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:14:35.694781065 CEST	58193	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:14:35.694792986 CEST	443	58193	34.107.243.93	192.168.2.5
Oct 25, 2024 17:14:35.694894075 CEST	58193	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:14:35.694968939 CEST	443	58193	34.107.243.93	192.168.2.5
Oct 25, 2024 17:14:35.695099115 CEST	58193	443	192.168.2.5	34.107.243.93
Oct 25, 2024 17:14:35.697499037 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:35.703402042 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:35.830540895 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:35.834142923 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:35.839639902 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:35.885035038 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:35.960927010 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:36.001005888 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:45.851759911 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:45.902576923 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:45.967643976 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:45.973155022 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:55.912691116 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:55.918257952 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:14:55.981827021 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:14:55.988038063 CEST	80	49718	34.107.221.82	192.168.2.5
Oct 25, 2024 17:15:05.919929981 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:15:05.925420046 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 17:15:06.004595995 CEST	49718	80	192.168.2.5	34.107.221.82
Oct 25, 2024 17:15:06.010046959 CEST	80	49718	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 17:13:02.953283072 CEST	58745	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:02.963128090 CEST	53	58745	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:02.972662926 CEST	56131	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:02.980926991 CEST	53	56131	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:03.832078934 CEST	62517	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:03.832401991 CEST	49318	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:03.840163946 CEST	53	62517	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:03.850003004 CEST	49249	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:03.855323076 CEST	56904	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:03.858347893 CEST	53	49249	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:03.858913898 CEST	51943	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:03.863257885 CEST	53	56904	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:03.865448952 CEST	51756	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:03.866312981 CEST	53	51943	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:03.873368025 CEST	53	51756	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:04.101907969 CEST	65167	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:04.125808001 CEST	63334	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:04.271878958 CEST	53	65167	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:04.272105932 CEST	53	63334	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:04.282560110 CEST	55496	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:04.290301085 CEST	53	55496	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:04.299376011 CEST	53517	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:04.308063030 CEST	53	53517	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:04.316401958 CEST	50507	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:04.320689917 CEST	59939	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:04.323596001 CEST	53	50507	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:04.328027964 CEST	53	59939	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:04.345752001 CEST	54988	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:04.353658915 CEST	53	54988	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:04.386497974 CEST	51893	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:04.394387007 CEST	53	51893	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:05.183075905 CEST	51803	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:05.183250904 CEST	61907	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:05.190675020 CEST	53	51803	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:05.191404104 CEST	53	61907	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:05.291239977 CEST	54377	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:05.370819092 CEST	64856	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:05.379722118 CEST	53	64856	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:05.388195038 CEST	54504	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:05.396486044 CEST	53	54504	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:05.397059917 CEST	50849	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:05.404829979 CEST	53	50849	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:10.966365099 CEST	64707	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:10.974347115 CEST	53	64707	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:10.997711897 CEST	60723	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:11.005810976 CEST	53	60723	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:11.006937981 CEST	53283	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:11.014918089 CEST	53	53283	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:11.070242882 CEST	56976	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:11.102180958 CEST	53	55746	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:11.622282982 CEST	52441	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:11.630176067 CEST	53	52441	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:11.652868986 CEST	65484	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:11.660643101 CEST	53	65484	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:11.673423052 CEST	56181	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:11.680814028 CEST	53	56181	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:15.628115892 CEST	59353	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:15.635901928 CEST	53	59353	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:15.645914078 CEST	53972	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:15.650912046 CEST	65264	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:15.651524067 CEST	55007	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:15.654376030 CEST	53	53972	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:15.659776926 CEST	53	65264	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:15.660404921 CEST	53	55007	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:15.663280964 CEST	49889	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:15.663547039 CEST	59104	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:15.671109915 CEST	53	49889	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:15.671300888 CEST	53	59104	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:15.794801950 CEST	55219	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.344605923 CEST	52244	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.344727993 CEST	64051	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.345205069 CEST	58594	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.352380991 CEST	53	52244	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.352396011 CEST	53	64051	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.353656054 CEST	53	58594	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.406800032 CEST	62192	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.406800985 CEST	58832	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.407232046 CEST	51046	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.414391994 CEST	53	51046	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.415126085 CEST	58358	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.415184021 CEST	53	62192	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.415261984 CEST	53	58832	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.415740013 CEST	61119	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.415848970 CEST	53489	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.422379017 CEST	53	58358	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.423072100 CEST	50360	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.423341036 CEST	53	53489	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.423926115 CEST	53	61119	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.430874109 CEST	53	50360	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.431427002 CEST	61576	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.438755035 CEST	53	61576	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.439359903 CEST	62363	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.446973085 CEST	53	62363	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:22.829890013 CEST	57038	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:22.837727070 CEST	53	57038	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:29.672699928 CEST	53	50320	162.159.36.2	192.168.2.5
Oct 25, 2024 17:13:30.338372946 CEST	49982	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:30.347218037 CEST	53	49982	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:31.669329882 CEST	65282	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:31.680031061 CEST	55565	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:31.917253971 CEST	53	65282	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:31.919660091 CEST	60363	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:31.921653032 CEST	53	55565	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:31.925508976 CEST	59390	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:31.926795959 CEST	51310	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:31.928167105 CEST	53	60363	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:31.934472084 CEST	53	59390	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:31.934995890 CEST	54384	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:31.939920902 CEST	53	51310	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:31.940398932 CEST	62231	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:31.943243027 CEST	53	54384	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:31.947531939 CEST	53	62231	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:33.184518099 CEST	57262	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:33.193269968 CEST	64649	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:33.200589895 CEST	53	64649	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:33.201462030 CEST	58011	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:33.209096909 CEST	53	58011	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:33.324260950 CEST	52515	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:33.324529886 CEST	54140	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:33.331561089 CEST	53	54140	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:33.332323074 CEST	53	52515	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:33.697227001 CEST	50043	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:33.705663919 CEST	53	50043	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:33.706969976 CEST	49653	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:33.714378119 CEST	53	49653	1.1.1.1	192.168.2.5
Oct 25, 2024 17:13:54.346335888 CEST	60589	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:13:54.353919983 CEST	53	60589	1.1.1.1	192.168.2.5
Oct 25, 2024 17:14:01.842720985 CEST	50445	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:14:01.850470066 CEST	53	50445	1.1.1.1	192.168.2.5
Oct 25, 2024 17:14:01.852504015 CEST	54365	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:14:01.860951900 CEST	53	54365	1.1.1.1	192.168.2.5
Oct 25, 2024 17:14:35.023466110 CEST	49715	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:14:35.031892061 CEST	53	49715	1.1.1.1	192.168.2.5
Oct 25, 2024 17:14:35.032901049 CEST	54926	53	192.168.2.5	1.1.1.1
Oct 25, 2024 17:14:35.043113947 CEST	53	54926	1.1.1.1	192.168.2.5
Oct 25, 2024 17:14:35.697770119 CEST	59899	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 17:13:02.953283072 CEST	192.168.2.5	1.1.1.1	0x6ced	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:02.972662926 CEST	192.168.2.5	1.1.1.1	0x603b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:03.832078934 CEST	192.168.2.5	1.1.1.1	0xa5ca	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:03.832401991 CEST	192.168.2.5	1.1.1.1	0x2c33	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:03.850003004 CEST	192.168.2.5	1.1.1.1	0xea1a	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:03.855323076 CEST	192.168.2.5	1.1.1.1	0x57bf	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:03.858913898 CEST	192.168.2.5	1.1.1.1	0x6385	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:03.865448952 CEST	192.168.2.5	1.1.1.1	0xa3d7	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 25, 2024 17:13:04.101907969 CEST	192.168.2.5	1.1.1.1	0xb701	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:04.125808001 CEST	192.168.2.5	1.1.1.1	0x545c	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:04.282560110 CEST	192.168.2.5	1.1.1.1	0x4003	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:04.299376011 CEST	192.168.2.5	1.1.1.1	0xa036	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:04.316401958 CEST	192.168.2.5	1.1.1.1	0x62c6	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 17:13:04.320689917 CEST	192.168.2.5	1.1.1.1	0x78a1	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:04.345752001 CEST	192.168.2.5	1.1.1.1	0x11ae	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:04.386497974 CEST	192.168.2.5	1.1.1.1	0xde9d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:05.183075905 CEST	192.168.2.5	1.1.1.1	0x5bc1	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.183250904 CEST	192.168.2.5	1.1.1.1	0x8c62	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.291239977 CEST	192.168.2.5	1.1.1.1	0xf3c9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.370819092 CEST	192.168.2.5	1.1.1.1	0x3ae1	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.388195038 CEST	192.168.2.5	1.1.1.1	0xfe80	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.397059917 CEST	192.168.2.5	1.1.1.1	0xd312	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:10.966365099 CEST	192.168.2.5	1.1.1.1	0x13f5	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:10.997711897 CEST	192.168.2.5	1.1.1.1	0x57e7	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:11.006937981 CEST	192.168.2.5	1.1.1.1	0x1ed4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:11.070242882 CEST	192.168.2.5	1.1.1.1	0x575e	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:11.622282982 CEST	192.168.2.5	1.1.1.1	0x9fa0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:11.652868986 CEST	192.168.2.5	1.1.1.1	0x7f95	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:11.673423052 CEST	192.168.2.5	1.1.1.1	0x5e49	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 17:13:15.628115892 CEST	192.168.2.5	1.1.1.1	0x3055	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:15.645914078 CEST	192.168.2.5	1.1.1.1	0xbf53	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:15.650912046 CEST	192.168.2.5	1.1.1.1	0xc112	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:15.651524067 CEST	192.168.2.5	1.1.1.1	0x4f0e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:15.663280964 CEST	192.168.2.5	1.1.1.1	0x9168	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 17:13:15.663547039 CEST	192.168.2.5	1.1.1.1	0x6fbe	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:15.794801950 CEST	192.168.2.5	1.1.1.1	0xe32f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.344605923 CEST	192.168.2.5	1.1.1.1	0xb469	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.344727993 CEST	192.168.2.5	1.1.1.1	0x34de	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.345205069 CEST	192.168.2.5	1.1.1.1	0xf462	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.406800032 CEST	192.168.2.5	1.1.1.1	0xbf03	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.406800985 CEST	192.168.2.5	1.1.1.1	0xb3fd	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.407232046 CEST	192.168.2.5	1.1.1.1	0x81b4	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.415126085 CEST	192.168.2.5	1.1.1.1	0x8651	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 25, 2024 17:13:22.415740013 CEST	192.168.2.5	1.1.1.1	0x5d9	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:22.415848970 CEST	192.168.2.5	1.1.1.1	0xf52b	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 25, 2024 17:13:22.423072100 CEST	192.168.2.5	1.1.1.1	0x4a7	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.431427002 CEST	192.168.2.5	1.1.1.1	0x7a15	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.439359903 CEST	192.168.2.5	1.1.1.1	0x120a	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 25, 2024 17:13:22.829890013 CEST	192.168.2.5	1.1.1.1	0xc4fd	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 17:13:30.338372946 CEST	192.168.2.5	1.1.1.1	0xed4b	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 25, 2024 17:13:31.669329882 CEST	192.168.2.5	1.1.1.1	0x9b41	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.680031061 CEST	192.168.2.5	1.1.1.1	0xa68c	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.919660091 CEST	192.168.2.5	1.1.1.1	0x3d21	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:31.925508976 CEST	192.168.2.5	1.1.1.1	0xd56b	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.926795959 CEST	192.168.2.5	1.1.1.1	0x72c8	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.934995890 CEST	192.168.2.5	1.1.1.1	0xf37d	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 25, 2024 17:13:31.940398932 CEST	192.168.2.5	1.1.1.1	0x7db5	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 17:13:33.184518099 CEST	192.168.2.5	1.1.1.1	0xc529	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.193269968 CEST	192.168.2.5	1.1.1.1	0xb8ca	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.201462030 CEST	192.168.2.5	1.1.1.1	0x2b5d	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 17:13:33.324260950 CEST	192.168.2.5	1.1.1.1	0xc90f	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.324529886 CEST	192.168.2.5	1.1.1.1	0x6c1d	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.697227001 CEST	192.168.2.5	1.1.1.1	0x3527	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.706969976 CEST	192.168.2.5	1.1.1.1	0x741b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 17:13:54.346335888 CEST	192.168.2.5	1.1.1.1	0x3b32	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 17:14:01.842720985 CEST	192.168.2.5	1.1.1.1	0xf00c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:14:01.852504015 CEST	192.168.2.5	1.1.1.1	0x24e2	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 17:14:35.023466110 CEST	192.168.2.5	1.1.1.1	0x957e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:14:35.032901049 CEST	192.168.2.5	1.1.1.1	0x7277	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 17:14:35.697770119 CEST	192.168.2.5	1.1.1.1	0xc8e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 17:13:02.948755980 CEST	1.1.1.1	192.168.2.5	0xd9a	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:02.963128090 CEST	1.1.1.1	192.168.2.5	0x6ced	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:03.839807034 CEST	1.1.1.1	192.168.2.5	0x2c33	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:03.839807034 CEST	1.1.1.1	192.168.2.5	0x2c33	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:03.840163946 CEST	1.1.1.1	192.168.2.5	0xa5ca	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:03.840163946 CEST	1.1.1.1	192.168.2.5	0xa5ca	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:03.858347893 CEST	1.1.1.1	192.168.2.5	0xea1a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:03.863257885 CEST	1.1.1.1	192.168.2.5	0x57bf	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:03.866312981 CEST	1.1.1.1	192.168.2.5	0x6385	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 17:13:03.873368025 CEST	1.1.1.1	192.168.2.5	0xa3d7	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 25, 2024 17:13:04.271878958 CEST	1.1.1.1	192.168.2.5	0xb701	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:04.272105932 CEST	1.1.1.1	192.168.2.5	0x545c	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:04.272105932 CEST	1.1.1.1	192.168.2.5	0x545c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:04.290301085 CEST	1.1.1.1	192.168.2.5	0x4003	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:04.308063030 CEST	1.1.1.1	192.168.2.5	0xa036	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:04.342701912 CEST	1.1.1.1	192.168.2.5	0x471	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:04.342701912 CEST	1.1.1.1	192.168.2.5	0x471	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:04.353658915 CEST	1.1.1.1	192.168.2.5	0x11ae	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.190675020 CEST	1.1.1.1	192.168.2.5	0x5bc1	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.191404104 CEST	1.1.1.1	192.168.2.5	0x8c62	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.191404104 CEST	1.1.1.1	192.168.2.5	0x8c62	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.298887014 CEST	1.1.1.1	192.168.2.5	0xf3c9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:05.298887014 CEST	1.1.1.1	192.168.2.5	0xf3c9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.379722118 CEST	1.1.1.1	192.168.2.5	0x3ae1	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:05.379722118 CEST	1.1.1.1	192.168.2.5	0x3ae1	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:05.379722118 CEST	1.1.1.1	192.168.2.5	0x3ae1	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.396486044 CEST	1.1.1.1	192.168.2.5	0xfe80	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:05.404829979 CEST	1.1.1.1	192.168.2.5	0xd312	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 17:13:10.974347115 CEST	1.1.1.1	192.168.2.5	0x13f5	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:10.974347115 CEST	1.1.1.1	192.168.2.5	0x13f5	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:10.974347115 CEST	1.1.1.1	192.168.2.5	0x13f5	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:11.005810976 CEST	1.1.1.1	192.168.2.5	0x57e7	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:11.078725100 CEST	1.1.1.1	192.168.2.5	0x575e	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:11.630176067 CEST	1.1.1.1	192.168.2.5	0x9fa0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:11.660643101 CEST	1.1.1.1	192.168.2.5	0x7f95	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:15.635010004 CEST	1.1.1.1	192.168.2.5	0x935c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:15.635555029 CEST	1.1.1.1	192.168.2.5	0xd9a1	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:15.635555029 CEST	1.1.1.1	192.168.2.5	0xd9a1	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:15.635901928 CEST	1.1.1.1	192.168.2.5	0x3055	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:15.635901928 CEST	1.1.1.1	192.168.2.5	0x3055	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:15.659776926 CEST	1.1.1.1	192.168.2.5	0xc112	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:15.660404921 CEST	1.1.1.1	192.168.2.5	0x4f0e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:15.802397966 CEST	1.1.1.1	192.168.2.5	0xe32f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:15.802397966 CEST	1.1.1.1	192.168.2.5	0xe32f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:18.132953882 CEST	1.1.1.1	192.168.2.5	0x1438	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352380991 CEST	1.1.1.1	192.168.2.5	0xb469	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352396011 CEST	1.1.1.1	192.168.2.5	0x34de	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:22.352396011 CEST	1.1.1.1	192.168.2.5	0x34de	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.353656054 CEST	1.1.1.1	192.168.2.5	0xf462	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:22.353656054 CEST	1.1.1.1	192.168.2.5	0xf462	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.353656054 CEST	1.1.1.1	192.168.2.5	0xf462	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.353656054 CEST	1.1.1.1	192.168.2.5	0xf462	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.353656054 CEST	1.1.1.1	192.168.2.5	0xf462	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.414391994 CEST	1.1.1.1	192.168.2.5	0x81b4	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.415184021 CEST	1.1.1.1	192.168.2.5	0xbf03	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.415184021 CEST	1.1.1.1	192.168.2.5	0xbf03	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.415184021 CEST	1.1.1.1	192.168.2.5	0xbf03	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.415184021 CEST	1.1.1.1	192.168.2.5	0xbf03	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.415261984 CEST	1.1.1.1	192.168.2.5	0xb3fd	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.422379017 CEST	1.1.1.1	192.168.2.5	0x8651	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 17:13:22.422379017 CEST	1.1.1.1	192.168.2.5	0x8651	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 17:13:22.422379017 CEST	1.1.1.1	192.168.2.5	0x8651	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 17:13:22.422379017 CEST	1.1.1.1	192.168.2.5	0x8651	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 17:13:22.423341036 CEST	1.1.1.1	192.168.2.5	0xf52b	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 25, 2024 17:13:22.430874109 CEST	1.1.1.1	192.168.2.5	0x4a7	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:22.438755035 CEST	1.1.1.1	192.168.2.5	0x7a15	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:30.347218037 CEST	1.1.1.1	192.168.2.5	0xed4b	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 25, 2024 17:13:31.917011976 CEST	1.1.1.1	192.168.2.5	0x5da5	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:31.917011976 CEST	1.1.1.1	192.168.2.5	0x5da5	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.917253971 CEST	1.1.1.1	192.168.2.5	0x9b41	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.917253971 CEST	1.1.1.1	192.168.2.5	0x9b41	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.917253971 CEST	1.1.1.1	192.168.2.5	0x9b41	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.917253971 CEST	1.1.1.1	192.168.2.5	0x9b41	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.921653032 CEST	1.1.1.1	192.168.2.5	0xa68c	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:31.921653032 CEST	1.1.1.1	192.168.2.5	0xa68c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.934472084 CEST	1.1.1.1	192.168.2.5	0xd56b	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.934472084 CEST	1.1.1.1	192.168.2.5	0xd56b	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.934472084 CEST	1.1.1.1	192.168.2.5	0xd56b	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.934472084 CEST	1.1.1.1	192.168.2.5	0xd56b	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:31.939920902 CEST	1.1.1.1	192.168.2.5	0x72c8	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.192008972 CEST	1.1.1.1	192.168.2.5	0xc529	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:33.192008972 CEST	1.1.1.1	192.168.2.5	0xc529	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.194185019 CEST	1.1.1.1	192.168.2.5	0x7075	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:33.194185019 CEST	1.1.1.1	192.168.2.5	0x7075	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:13:33.200589895 CEST	1.1.1.1	192.168.2.5	0xb8ca	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.209096909 CEST	1.1.1.1	192.168.2.5	0x2b5d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 17:13:33.331561089 CEST	1.1.1.1	192.168.2.5	0x6c1d	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.331561089 CEST	1.1.1.1	192.168.2.5	0x6c1d	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.332323074 CEST	1.1.1.1	192.168.2.5	0xc90f	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:13:33.705663919 CEST	1.1.1.1	192.168.2.5	0x3527	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:14:01.836757898 CEST	1.1.1.1	192.168.2.5	0x16fa	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:14:01.850470066 CEST	1.1.1.1	192.168.2.5	0xf00c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:14:35.031892061 CEST	1.1.1.1	192.168.2.5	0x957e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 17:14:35.705817938 CEST	1.1.1.1	192.168.2.5	0xc8e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 17:14:35.705817938 CEST	1.1.1.1	192.168.2.5	0xc8e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	760	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 17:13:03.900682926 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:04.519865990 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4606 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49718	34.107.221.82	80	760	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 17:13:05.305258036 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:05.910876036 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85578 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:06.484805107 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:06.613023996 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85579 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:10.969381094 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:11.095942974 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85584 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:16.141870022 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:16.269768953 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85589 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:18.591012955 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:18.718311071 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85591 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:20.234596968 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:20.361449957 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85593 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:21.806503057 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:21.934266090 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85594 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:23.688735962 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:23.815396070 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85596 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:32.696908951 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:32.824297905 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85605 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:33.332464933 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:33.459131002 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85606 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:34.467691898 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:34.840133905 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85607 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:34.843152046 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85607 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:13:44.855007887 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:13:54.867981911 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:13:55.132922888 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:13:55.260446072 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85628 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:14:02.680039883 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:14:02.807991982 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85635 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:14:03.315665960 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:14:03.443264961 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85636 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:14:13.459250927 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:14:23.619159937 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:14:33.632689953 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:14:35.834142923 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 17:14:35.960927010 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 15:26:47 GMT Age: 85668 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 17:14:45.967643976 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:14:55.981827021 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:15:06.004595995 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	34.107.221.82	80	760	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 17:13:05.385864973 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:06.030116081 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4607 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:06.512530088 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:06.644578934 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4608 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:15.793469906 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:15.926065922 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4617 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:17.779637098 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:18.000010014 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:18.258013964 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4620 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:18.815440893 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:19.138343096 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4620 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:19.183150053 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4620 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:20.323265076 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:20.455449104 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4622 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:23.451695919 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:23.685514927 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4625 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:32.561930895 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:32.694092035 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4634 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:33.180879116 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:33.314054966 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4635 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:34.332554102 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:34.464890003 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4636 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:13:44.476089001 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:13:54.482402086 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:13:54.997020960 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:13:55.129920006 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4657 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:14:02.520612955 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:14:02.655073881 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4664 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:14:03.178379059 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:14:03.310765982 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4665 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:14:13.321150064 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:14:23.333776951 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:14:33.347085953 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:14:35.697499037 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 17:14:35.830540895 CEST	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 4697 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 17:14:45.851759911 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:14:55.912691116 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 17:15:05.919929981 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	11:12:56
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf80000
File size:	919'040 bytes
MD5 hash:	92BCBE7B8698B2DB8E7EEF7FC3613811
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:12:56
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x200000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:12:56
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:12:58
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x200000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:12:58
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:12:58
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x200000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:12:58
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:12:58
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x200000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:12:58
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:12:59
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x200000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:12:59
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:12:59
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:12:59
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:12:59
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	11:13:00
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {229489d4-826a-4f96-a71a-4be4e9eb3af8} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afb646cb10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	11:13:02
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4120 -prefMapHandle 4116 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b84a474f-afef-458f-8c5b-3129f3854e6d} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afc8a1c810 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	11:13:10
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3036 -prefMapHandle 3048 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1003c90-d201-4205-be3a-d720dcdb7632} 760 "\\.\pipe\gecko-crash-server-pipe.760" 1afd218f310 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1557
Total number of Limit Nodes:	63

Executed Functions

Function 00F842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F8430D

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

GetCurrentProcess.KERNEL32(?,0101CB64,00000000,?,?), ref: 00F84422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F84429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F84454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F84466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F84474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F8447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00F844A0

Strings

|O, xrefs: 00FC36F8
kernel32.dll, xrefs: 00F8444F
GetNativeSystemInfo, xrefs: 00F84460

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 12904b7b921fa18c46b70564d4cacccebe415c38c98ce5cbbd542a5e58239ede
Instruction ID: 38a90a8da0db863c5b5c66729cc340e8fd22759d200e2ca1c94b4b24e50ae988
Opcode Fuzzy Hash: 12904b7b921fa18c46b70564d4cacccebe415c38c98ce5cbbd542a5e58239ede
Instruction Fuzzy Hash: 39A18E7290E3C1CBC731D769B5A17D67FA46F26394B08C89DD4C1A3A0BD23E4908EB61

Function 00F842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F850AA,?,?,00000000,00000000), ref: 00F842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F850AA,?,?,00000000,00000000), ref: 00F842C9
LoadResource.KERNEL32(?,00000000,?,?,00F850AA,?,?,00000000,00000000,?,?,?,?,?,?,00F84F20), ref: 00FC35BE
SizeofResource.KERNEL32(?,00000000,?,?,00F850AA,?,?,00000000,00000000,?,?,?,?,?,?,00F84F20), ref: 00FC35D3
LockResource.KERNEL32(00F850AA,?,?,00F850AA,?,?,00000000,00000000,?,?,?,?,?,?,00F84F20,?), ref: 00FC35E6

Strings

SCRIPT, xrefs: 00F842BF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 64ff2fe03eca32255dc718a5aaf7c79347ba8a4a186fab701f60b3f483871615
Instruction ID: aa5f985ea2aacc98d4b6bd2f0046a72358c3c2509525fcb4112f95d0598032d5
Opcode Fuzzy Hash: 64ff2fe03eca32255dc718a5aaf7c79347ba8a4a186fab701f60b3f483871615
Instruction Fuzzy Hash: F3119A70240306AFE7219B65DD48FA77BB9FBC9B65F108169F44686240DB76E8009730

Function 00FC2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00F82B6B

Part of subcall function 00F83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01051418,?,00F82E7F,?,?,?,00000000), ref: 00F83A78

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01042224), ref: 00FC2C10
ShellExecuteW.SHELL32(00000000,?,?,01042224), ref: 00FC2C17

Strings

runas, xrefs: 00FC2C0B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 7ae2079857211e4e5ab2f747f3ca6fcf51d88c698a54cbe17ff0882512f4e2e4
Instruction ID: d653f8904d9101a01b3b58a7474318c9a0b23d34bb54c2ecbb97cf27ac58e471
Opcode Fuzzy Hash: 7ae2079857211e4e5ab2f747f3ca6fcf51d88c698a54cbe17ff0882512f4e2e4
Instruction Fuzzy Hash: 8611B1316083026BC754FF60DD82AFEBBA4ABD5750F48142DF1C2560A2CF7D9A4AA712

Function 00FED4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FED501
Process32FirstW.KERNEL32(00000000,?), ref: 00FED50F
Process32NextW.KERNEL32(00000000,?), ref: 00FED52F
CloseHandle.KERNELBASE(00000000), ref: 00FED5DC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 23d9954d51110ab6f6da5cefea543fd233dfda2ed5aecbea11dd891ebbb9b2c6
Instruction ID: d55b6e465fcc8f5c256daaef89af38031eb4838ba068d128a687a68cb9227e4f
Opcode Fuzzy Hash: 23d9954d51110ab6f6da5cefea543fd233dfda2ed5aecbea11dd891ebbb9b2c6
Instruction Fuzzy Hash: 8C31AD321083419FD300EF54CC85ABFBBE8EF99354F58092DF581821A1EB759A48DB92

Function 00FEDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00FC5222), ref: 00FEDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00FEDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00FEDBEE
FindClose.KERNEL32(00000000), ref: 00FEDBFA

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 34c07ac64949e2b52a771a5dba4ce06bab3b74b11692f63f2df17a5b2cdff3b3
Instruction ID: 0d599580e69a3607fb9ba0fa4c236a88c76b9eafd9ac61a814a80bed5c711517
Opcode Fuzzy Hash: 34c07ac64949e2b52a771a5dba4ce06bab3b74b11692f63f2df17a5b2cdff3b3
Instruction Fuzzy Hash: 30F0E5318509105792306B7CAE0D8AA376D9E02374B204702F8BAC24E0EBBD9D64D7D6

Function 00FA4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00FB28E9,?,00FA4CBE,00FB28E9,010488B8,0000000C,00FA4E15,00FB28E9,00000002,00000000,?,00FB28E9), ref: 00FA4D09
TerminateProcess.KERNEL32(00000000,?,00FA4CBE,00FB28E9,010488B8,0000000C,00FA4E15,00FB28E9,00000002,00000000,?,00FB28E9), ref: 00FA4D10
ExitProcess.KERNEL32 ref: 00FA4D22

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 23aa5bdedc2df9aca0ee86ef9a7ba309ef1844e712de94e405ae2548e23cd135
Instruction ID: 4b82b29100830642e263bf54a92c55ce078b7543d66783ee61cfa2f0987fcd05
Opcode Fuzzy Hash: 23aa5bdedc2df9aca0ee86ef9a7ba309ef1844e712de94e405ae2548e23cd135
Instruction Fuzzy Hash: 02E0B671480148ABDF21AF54DE09A587B69EF82795B104014FD458A126DB7EEE42EF80

Function 0100AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0100B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0100B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0100B1D4
_wcslen.LIBCMT ref: 0100B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0100B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0100B236
_wcslen.LIBCMT ref: 0100B332

Part of subcall function 00FF05A7: GetStdHandle.KERNEL32(000000F6), ref: 00FF05C6

_wcslen.LIBCMT ref: 0100B34B
_wcslen.LIBCMT ref: 0100B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0100B3B6
GetLastError.KERNEL32(00000000), ref: 0100B407
CloseHandle.KERNEL32(?), ref: 0100B439
CloseHandle.KERNEL32(00000000), ref: 0100B44A
CloseHandle.KERNEL32(00000000), ref: 0100B45C
CloseHandle.KERNEL32(00000000), ref: 0100B46E
CloseHandle.KERNEL32(?), ref: 0100B4E3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5065a3e329b21652e14a252a03e0cf54a01267295ac7de80be2d7acdef6bb41a
Instruction ID: 3c31b7b2aae2543fcc980e417ec5c27220b2fe0b126ec3d3f9505b5b93180a19
Opcode Fuzzy Hash: 5065a3e329b21652e14a252a03e0cf54a01267295ac7de80be2d7acdef6bb41a
Instruction Fuzzy Hash: 3AF1BE356083409FE725EF28C881B6EBBE5BF85310F18845DF9958B2A2DB35EC04CB52

Function 00F8D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F8D807
timeGetTime.WINMM ref: 00F8DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F8DB28
TranslateMessage.USER32(?), ref: 00F8DB7B
DispatchMessageW.USER32(?), ref: 00F8DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F8DB9F
Sleep.KERNELBASE(0000000A), ref: 00F8DBB1

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 9f53a98d82a9703d2fd576a3628a11a2d63c6f29db85aba95fae03061d252632
Instruction ID: 300424a6768a53c548dc8abc6ffcf5257ab186694ff02c930c0d0f5ae9b8971f
Opcode Fuzzy Hash: 9f53a98d82a9703d2fd576a3628a11a2d63c6f29db85aba95fae03061d252632
Instruction Fuzzy Hash: 1442D131A08341EFD738EF24C844BAAB7E1BF95324F18451AE495873D1D779E844EB92

Function 00F82CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F82D07
RegisterClassExW.USER32(00000030), ref: 00F82D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F82D42
InitCommonControlsEx.COMCTL32(?), ref: 00F82D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F82D6F
LoadIconW.USER32(000000A9), ref: 00F82D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F82D94

Strings

+, xrefs: 00F82CF0
TaskbarCreated, xrefs: 00F82D37
AutoIt v3 GUI, xrefs: 00F82D23
0, xrefs: 00F82CE9

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 73dc3910db5bf4346e68b3c50d593ea9bd54293e77e3bb9fbd2ba8a552da9a86
Instruction ID: d5d83942dc3b9b88de9ac7ea59ca9590b40f6b78a13d5cf1a17a6140ef4b752c
Opcode Fuzzy Hash: 73dc3910db5bf4346e68b3c50d593ea9bd54293e77e3bb9fbd2ba8a552da9a86
Instruction Fuzzy Hash: 3D212CB5D41308AFEB21DFA4E949BDEBBB4FB08700F00811AF591A7284D7BA8540CF90

Function 00FC065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FC039A: CreateFileW.KERNELBASE(00000000,00000000,?,00FC0704,?,?,00000000,?,00FC0704,00000000,0000000C), ref: 00FC03B7

GetLastError.KERNEL32 ref: 00FC076F
__dosmaperr.LIBCMT ref: 00FC0776
GetFileType.KERNELBASE(00000000), ref: 00FC0782
GetLastError.KERNEL32 ref: 00FC078C
__dosmaperr.LIBCMT ref: 00FC0795
CloseHandle.KERNEL32(00000000), ref: 00FC07B5
CloseHandle.KERNEL32(?), ref: 00FC08FF
GetLastError.KERNEL32 ref: 00FC0931
__dosmaperr.LIBCMT ref: 00FC0938

Strings

H, xrefs: 00FC08BD

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: c8be5776c70a8296e35fe0da4a73ceea7e06176a5d3f9c2ace97ed0aa97c6f05
Instruction ID: 974dfee0051af0f0cc729134558bbbb466c683801537f04fb124d52b972f9d13
Opcode Fuzzy Hash: c8be5776c70a8296e35fe0da4a73ceea7e06176a5d3f9c2ace97ed0aa97c6f05
Instruction Fuzzy Hash: 61A12432A002058FDF29AF68D952BAE3BE0AB06320F14015DF8159F3D1DB399D13EB91

Function 00F8344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01051418,?,00F82E7F,?,?,?,00000000), ref: 00F83A78

Part of subcall function 00F83357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F83379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F8356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FC318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FC31CE
RegCloseKey.ADVAPI32(?), ref: 00FC3210
_wcslen.LIBCMT ref: 00FC3277
_wcslen.LIBCMT ref: 00FC3286

Strings

Include, xrefs: 00FC3184, 00FC31C5
Software\AutoIt v3\AutoIt, xrefs: 00F83560
\, xrefs: 00FC328C
\Include\, xrefs: 00F83527

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 272750829bcac59bbfbede2c5d430c021cd29c25811d0c9fd028671cd44bcefc
Instruction ID: 79d248f83479306a1e87ce68b6ce7963e370d8a589ea8606cc08ddce7ac32814
Opcode Fuzzy Hash: 272750829bcac59bbfbede2c5d430c021cd29c25811d0c9fd028671cd44bcefc
Instruction Fuzzy Hash: B571C071408301DEC724EF25DC829ABBBE8FF85740F40842EF48597166EB79DA48DB51

Function 00F82B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F82B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00F82B9D
LoadIconW.USER32(00000063), ref: 00F82BB3
LoadIconW.USER32(000000A4), ref: 00F82BC5
LoadIconW.USER32(000000A2), ref: 00F82BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F82BEF
RegisterClassExW.USER32(?), ref: 00F82C40

Part of subcall function 00F82CD4: GetSysColorBrush.USER32(0000000F), ref: 00F82D07
Part of subcall function 00F82CD4: RegisterClassExW.USER32(00000030), ref: 00F82D31
Part of subcall function 00F82CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F82D42
Part of subcall function 00F82CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F82D5F
Part of subcall function 00F82CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F82D6F
Part of subcall function 00F82CD4: LoadIconW.USER32(000000A9), ref: 00F82D85
Part of subcall function 00F82CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F82D94

Strings

#, xrefs: 00F82C16
0, xrefs: 00F82C0F
AutoIt v3, xrefs: 00F82C2F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 48ffe7629b59a491ab79f5381d49dcd3f82e47f80dd4a618efebd869b061ff7d
Instruction ID: 81d070096a9b23d283b9ef94e2d2ca83ad11d51531b0cf14c3c9304978923075
Opcode Fuzzy Hash: 48ffe7629b59a491ab79f5381d49dcd3f82e47f80dd4a618efebd869b061ff7d
Instruction Fuzzy Hash: F1219270E40314AFDB209F95E964B9E7FB9FB08B50F00811AF580A7295D3BE4540DF80

Function 00F83170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F8316A,?,?), ref: 00F831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00F8316A,?,?), ref: 00F83204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F83227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F8316A,?,?), ref: 00F83232
CreatePopupMenu.USER32 ref: 00F83246
PostQuitMessage.USER32(00000000), ref: 00F83267

Strings

TaskbarCreated, xrefs: 00F8322D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d0deb9ec162f0d84a22ee488a435d36800365c0336c10557809f9ce13bf0b6c5
Instruction ID: 0646e79368db413226137bb0dbf7b9c662a4924c69bd17e086cfcdcf5b2caa11
Opcode Fuzzy Hash: d0deb9ec162f0d84a22ee488a435d36800365c0336c10557809f9ce13bf0b6c5
Instruction Fuzzy Hash: 81411936A40204A6DB243B78DE0EBFE3A29F705F14F044119F982C51A5CBBEDA40B361

Function 00F81410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F81459
CoUninitialize.COMBASE ref: 00F814F8
UnregisterHotKey.USER32(?), ref: 00F816DD
DestroyWindow.USER32(?), ref: 00FC24B9
FreeLibrary.KERNEL32(?), ref: 00FC251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FC254B

Strings

close all, xrefs: 00F81454

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3f901c6f01abf9ec32b8fc8c92d2eb85794424b6f403430e6f67c95c0d0edba8
Instruction ID: 53c933ea7dec699227fe6ccd032d916c142055779caebb42fc1f7ec93c0258c2
Opcode Fuzzy Hash: 3f901c6f01abf9ec32b8fc8c92d2eb85794424b6f403430e6f67c95c0d0edba8
Instruction Fuzzy Hash: 00D15931B012128FDB29EF14CA9AF69F7A4BF05710F1442ADE44AAB251DB35EC12EF50

Function 00F82C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F82C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F82CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F81CAD,?), ref: 00F82CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F81CAD,?), ref: 00F82CCF

Strings

edit, xrefs: 00F82CAC
AutoIt v3, xrefs: 00F82C89, 00F82C8E, 00F82C8F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b1f4a8b02b3e179d19495a59990fac64b14e7f44895faa11db9aeba05a41c3ca
Instruction ID: feea55b2eac88d150bc4f8808101f2d526289e7af2ce5f0d1fcd3f1e2affe7d6
Opcode Fuzzy Hash: b1f4a8b02b3e179d19495a59990fac64b14e7f44895faa11db9aeba05a41c3ca
Instruction Fuzzy Hash: 64F017755803907AEB300713AC18F772EBEE7C6F60B01801AF940A6159C27A4840DBB0

Function 00F83B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F83B0F,SwapMouseButtons,00000004,?), ref: 00F83B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F83B0F,SwapMouseButtons,00000004,?), ref: 00F83B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F83B0F,SwapMouseButtons,00000004,?), ref: 00F83B83

Strings

Control Panel\Mouse, xrefs: 00F83B3E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: efdd7aed2ab2f2353f7c80e13119218cbe92b0a3e698429888548ffa43d6a6b9
Instruction ID: a65f6e7493c2edf8a1ddc8f34cb98b9c8e545508924eac055b1e961bf2be41f9
Opcode Fuzzy Hash: efdd7aed2ab2f2353f7c80e13119218cbe92b0a3e698429888548ffa43d6a6b9
Instruction Fuzzy Hash: 02112AB5610208FFDB21DFA5DC48AEEB7B8EF45B94B104459B805D7124E231DF40A760

Function 00F83923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FC33A2

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F83A04

Strings

Line: , xrefs: 00FC33EB

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 551e892766fbf7965971624e98a6f56961d2dd11cd777cb57bdd46ef7639dde8
Instruction ID: 042d8cd796de7ce947bb403b92dd6f7712e4beaba245ab1f5b7608463343dae6
Opcode Fuzzy Hash: 551e892766fbf7965971624e98a6f56961d2dd11cd777cb57bdd46ef7639dde8
Instruction Fuzzy Hash: 5F31C371908300AAD725FB20DC45BEBB7D8AF44B20F00492EF5D992191EB789649D7C2

Function 00F9FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00FA0668

Part of subcall function 00FA32A4: RaiseException.KERNEL32(?,?,?,00FA068A,?,01051444,?,?,?,?,?,?,00FA068A,00F81129,01048738,00F81129), ref: 00FA3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00FA0685

Strings

Unknown exception, xrefs: 00FA0692

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 411f1b293ee7dd1dad8b9cacdddff0312f3efafd06012f3c7814b3914ddbd8bd
Instruction ID: e187c20728909cf0b6f53f86edd3310ebf0e2aa8bf379a7b66ff9bc9dc911c2c
Opcode Fuzzy Hash: 411f1b293ee7dd1dad8b9cacdddff0312f3efafd06012f3c7814b3914ddbd8bd
Instruction Fuzzy Hash: D3F0F6B4D0020D77CF00F6A5EC86D9E776C6E42364B604536B824D6591EF75EA29F9C0

Function 00F810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F81BF4
Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F81BFC
Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F81C07
Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F81C12
Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F81C1A
Part of subcall function 00F81BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F81C22

Part of subcall function 00F81B4A: RegisterWindowMessageW.USER32(00000004,?,00F812C4), ref: 00F81BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F8136A
OleInitialize.OLE32 ref: 00F81388
CloseHandle.KERNEL32(00000000,00000000), ref: 00FC24AB

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 0ad5d13f6918746004e3f103a835aa9909eb4e865502efd2c44f59e6538867b4
Instruction ID: 1c8cbd04f0e32886a463bc67ecab12275ddd30dfc910f8f0fd4eb3b32c1d0e18
Opcode Fuzzy Hash: 0ad5d13f6918746004e3f103a835aa9909eb4e865502efd2c44f59e6538867b4
Instruction Fuzzy Hash: 4771AAB4901300CFD7A8EF79E5497A73AE5FB48348758962AD4DAC7249EB3E8841CF50

Function 00FEC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F83923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F83A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FEC259
KillTimer.USER32(?,00000001,?,?), ref: 00FEC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FEC270

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 2e84f80e1043cfcc157528b431a628544588261a669b708d58f461bd84f3d535
Instruction ID: 1e3179f413186355dff7fc4fc2935bbd7e24cf249f486d164783062a80720a8a
Opcode Fuzzy Hash: 2e84f80e1043cfcc157528b431a628544588261a669b708d58f461bd84f3d535
Instruction Fuzzy Hash: 4331D571904384AFEB329F758855BEBBBECAF07304F00049EE2DA97241C7785A85DB91

Function 00FB86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00FB85CC,?,01048CC8,0000000C), ref: 00FB8704
GetLastError.KERNEL32(?,00FB85CC,?,01048CC8,0000000C), ref: 00FB870E
__dosmaperr.LIBCMT ref: 00FB8739

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 7406001946910b85cd1500d421445c73eaa954fd74579f18a225b8c3c044f13f
Instruction ID: 4a69cb91a14eba7a01a2609fa54900f270d7a3bc67d49ac1d9befad79eec76a7
Opcode Fuzzy Hash: 7406001946910b85cd1500d421445c73eaa954fd74579f18a225b8c3c044f13f
Instruction Fuzzy Hash: 92010832E0566026D6647236E8457EE778F4BC2BB8F3D0119F8148B5D2DEADCC82EE50

Function 00F8DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00F8DB7B
DispatchMessageW.USER32(?), ref: 00F8DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F8DB9F
Sleep.KERNELBASE(0000000A), ref: 00F8DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00FD1CC9

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: a40d4ed4d0da7a01a62a92b8e2cc7ac49ab9a3fdb848097ab04c45db6555b67e
Instruction ID: 9ebaf98049fc15466bd2818e21d88f306ebeccf8ab20eb5ac78ede709d657625
Opcode Fuzzy Hash: a40d4ed4d0da7a01a62a92b8e2cc7ac49ab9a3fdb848097ab04c45db6555b67e
Instruction Fuzzy Hash: 28F05E30A443409BFB30DB60DC49FEA73ADFF84320F104A19E68A830C0DB799488EB15

Function 00F91310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F917F6

Strings

CALL, xrefs: 00F917C6

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 7dfa273c0f6a4abf66a281afe0c6cf568d61887360adb67273f4125ff9234c8f
Instruction ID: 6ff0ec912a20b1ec4a0a611c0d82a466d6e0ee68dd1f101e3d21e024fd68ad53
Opcode Fuzzy Hash: 7dfa273c0f6a4abf66a281afe0c6cf568d61887360adb67273f4125ff9234c8f
Instruction Fuzzy Hash: EE227F71A083029FEB14DF14C880B2ABBF2BF85314F19896DF4968B361D775E845EB52

Function 00F82DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00FC2C8C

Part of subcall function 00F83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F83A97,?,?,00F82E7F,?,?,?,00000000), ref: 00F83AC2

Part of subcall function 00F82DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F82DC4

Strings

X, xrefs: 00FC2C5A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 1e4f358f4a5a4e0dfc05959a12b24ca3d36f6f67e30c82da178738dcbe6dc411
Instruction ID: 44dce908f7651b755a205c4bd2b024d2269c44a154509403cbe7f26f1eafac40
Opcode Fuzzy Hash: 1e4f358f4a5a4e0dfc05959a12b24ca3d36f6f67e30c82da178738dcbe6dc411
Instruction Fuzzy Hash: 4321D571E002589FCF45EF94CC4ABEE7BF8AF49714F008059E445E7241DBB89A499FA1

Function 00F83837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F83908

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1b10ec98058f83378dfcb12d96a82348a2ffe2d77618f3bf86c99778b981bed2
Instruction ID: c4a3d7be83bf65efd7e48939f1e31e0bb3f689317554144d2fa5bd25c52cd5df
Opcode Fuzzy Hash: 1b10ec98058f83378dfcb12d96a82348a2ffe2d77618f3bf86c99778b981bed2
Instruction Fuzzy Hash: 8B31D271A043019FD720EF24D4857D7BBE8FB49718F00092EF9DA83251E77AAA44DB52

Function 00F9F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F9F661

Part of subcall function 00F8D730: GetInputState.USER32 ref: 00F8D807

Sleep.KERNEL32(00000000), ref: 00FDF2DE

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 3a114efe83f9f16e7c5905d400ea6d24da12e8b96b433f93028dfbbc2be9dab9
Instruction ID: 604528e6224176f2aad9112b914c0366cd6d92d261295194de6486d285d8a562
Opcode Fuzzy Hash: 3a114efe83f9f16e7c5905d400ea6d24da12e8b96b433f93028dfbbc2be9dab9
Instruction Fuzzy Hash: 1DF082712802059FD310FF65D945F9ABBE4FF46761F000029E859C7350DB74A800DB90

Function 00F84ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F84E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F84EDD,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E9C
Part of subcall function 00F84E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F84EAE
Part of subcall function 00F84E90: FreeLibrary.KERNEL32(00000000,?,?,00F84EDD,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84EFD

Part of subcall function 00F84E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FC3CDE,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E62
Part of subcall function 00F84E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F84E74
Part of subcall function 00F84E59: FreeLibrary.KERNEL32(00000000,?,?,00FC3CDE,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E87

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f692009b25afedaa8af9f0ed7197468ead5d07804e0d85d9cc6f837512375950
Instruction ID: 8041f484ee927a836d98af157fbc8c124fada8c01d57164e2991c13ccf4a656a
Opcode Fuzzy Hash: f692009b25afedaa8af9f0ed7197468ead5d07804e0d85d9cc6f837512375950
Instruction Fuzzy Hash: 9F11E732600206ABDB14FF60DD16FED77A5AF40B14F10842EF582AB1C1EE78EA05B750

Function 00FB8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00FB8440

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ed5ebf76d8a9af90b40b1dec258d2e075462c471cbd29937c4324f66bac17f9d
Instruction ID: 0212e7d5e6f81c16f339a61135be978fd8eb80603cdf3a5481475bd8cef94823
Opcode Fuzzy Hash: ed5ebf76d8a9af90b40b1dec258d2e075462c471cbd29937c4324f66bac17f9d
Instruction Fuzzy Hash: 3711367590420AEFCB05DF59E941ADA7BF8EF48310F104059F808AB302DA31DA12DBA5

Function 00FB5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FB4C7D: RtlAllocateHeap.NTDLL(00000008,00F81129,00000000,?,00FB2E29,00000001,00000364,?,?,?,00FAF2DE,00FB3863,01051444,?,00F9FDF5,?), ref: 00FB4CBE

_free.LIBCMT ref: 00FB506C

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 206df735bab9a513a61fba16f6f2f1ae35a0451c98e0f0bdc07a3bdb85f897fb
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B8012B726047056BE3219E569C41A9AFBE8FB89370F25051DE18483280E6346805CA74

Function 00FAE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 97bb5ff7ecee07cc22faea9c46d7343a86e6a023f46961d3d18bcd8887521d4c
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: FAF0F972920A1496D6313A6A8C05B96339C9F53370F100B15F425926D2DB78D806BDA5

Function 00FB4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00F81129,00000000,?,00FB2E29,00000001,00000364,?,?,?,00FAF2DE,00FB3863,01051444,?,00F9FDF5,?), ref: 00FB4CBE

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f8c7015ebbe34e10568783cd3589d6f4dd068c2c39d37cc288f302923bb49959
Instruction ID: 50d0e15fb955cd58c09786bcfbb36372b94b946c31ca3bd48a60ff218655d37b
Opcode Fuzzy Hash: f8c7015ebbe34e10568783cd3589d6f4dd068c2c39d37cc288f302923bb49959
Instruction Fuzzy Hash: C3F0BBB1A4222466DB215E639E05BD63F88AF41B71B144121F819D6587CA75FC007AE0

Function 00FB3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6,?,00F81129), ref: 00FB3852

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 74627743b728c0f963cd8448a97da7e6ecb3fb7fbce3b8dc8d1978dc8c244030
Instruction ID: a04801fc7220bf998e1c736739ad691228c9ca51de54e52b18ff6e001965532c
Opcode Fuzzy Hash: 74627743b728c0f963cd8448a97da7e6ecb3fb7fbce3b8dc8d1978dc8c244030
Instruction Fuzzy Hash: A3E065339C122456E73126AB9C05BDB3649AB837B0F160131BC5596581DB65ED01BAE2

Function 00F84F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84F6D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b90d21600e4e769dbff1b083d5b8fc4e99aa20bef79d27e04741b0804063a439
Instruction ID: 8607a2851e6903b5d48d6e0481b800493de3a34b762cac89ee2bab788df3cfa4
Opcode Fuzzy Hash: b90d21600e4e769dbff1b083d5b8fc4e99aa20bef79d27e04741b0804063a439
Instruction Fuzzy Hash: 94F03071505752CFDB34AF64D890952B7F4BF15329315897EE2EA83610C735A844EF10

Function 01012A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01012A66

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 179d769de4daa17c2c78e15b70b376adc6ae50b8c8ac780f49bf02fbe14339c2
Instruction ID: a45347216b9a849245e1bc8ea5e552681326b0c1e34e4577f55399f82f66554e
Opcode Fuzzy Hash: 179d769de4daa17c2c78e15b70b376adc6ae50b8c8ac780f49bf02fbe14339c2
Instruction Fuzzy Hash: 72E0DF3238011AABDB20EA30DC848FE735CEF10294710043AAC56C2100DB3CA98182A0

Function 00F830F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F8314E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 2d333135e1f89b59c6e397ce18ef0bfb1169db904d0ce586de9872ba570a5851
Instruction ID: d9ac66f3e98750b3029a6b88d8f4daca50ca46a2316e9c74a6bfa818508704ca
Opcode Fuzzy Hash: 2d333135e1f89b59c6e397ce18ef0bfb1169db904d0ce586de9872ba570a5851
Instruction Fuzzy Hash: D9F03770914314AFEB629B64DC497D67BBCA701708F0040E5A58996186DB795788CF51

Function 00F82DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F82DC4

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: c6c25453d3abbee3853cfc316ff2562e3cd00def56df69a9ba1daa73e78ec1f1
Instruction ID: 7012801d61863544b43c13b2e1e16cd4abb7a24864fe8e040baa06d54fdaf51d
Opcode Fuzzy Hash: c6c25453d3abbee3853cfc316ff2562e3cd00def56df69a9ba1daa73e78ec1f1
Instruction Fuzzy Hash: 3EE0CD72A002245BC720A2589C06FDA77DDDFC8790F040075FD09D7249D968ED80C650

Function 00F82B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F83837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F83908

Part of subcall function 00F8D730: GetInputState.USER32 ref: 00F8D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00F82B6B

Part of subcall function 00F830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F8314E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 5f69aae12fc4f87ba69313645939c81bbd22a4a07912ef11d1b139ecd9226653
Instruction ID: 3724066fc4bcae389635eb117a008e55edc9856b8c18d2860cb8138042e41019
Opcode Fuzzy Hash: 5f69aae12fc4f87ba69313645939c81bbd22a4a07912ef11d1b139ecd9226653
Instruction Fuzzy Hash: 33E0263270420402CB04BA30AC125FEB7499BD1715F40153EF182431A3CF3D8A455312

Function 00FC039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00FC0704,?,?,00000000,?,00FC0704,00000000,0000000C), ref: 00FC03B7

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 88d31a7e5d9ca6577482e50b9f89efbfbc7c37d1cf7eb5a13d16653cb3a1cb4c
Instruction ID: 9c99fbf8e01f57a00665e180f82f7a82d333e44b74690c49b1ea22e0fb3bb293
Opcode Fuzzy Hash: 88d31a7e5d9ca6577482e50b9f89efbfbc7c37d1cf7eb5a13d16653cb3a1cb4c
Instruction Fuzzy Hash: D6D06C3208010DBBDF128E84DD06EDA3BAAFB48714F014000BE5856020C736E821AB90

Function 00F81CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F81CBC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ddc327cbbf62277b35462813116ef2a01625780a707a15467ea4bd39fc5a74bc
Instruction ID: 0fc413930a67bb63f0c712521115a991b35dc58422fb401ab07faff080373e37
Opcode Fuzzy Hash: ddc327cbbf62277b35462813116ef2a01625780a707a15467ea4bd39fc5a74bc
Instruction Fuzzy Hash: 7AC092362C0304EFF3358A80BD5AF127765A748B04F048401F68AA95DBC3BB58A0EB50

Non-executed Functions

Function 01019576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0101961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0101965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0101969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010196C9
SendMessageW.USER32 ref: 010196F2
GetKeyState.USER32(00000011), ref: 0101978B
GetKeyState.USER32(00000009), ref: 01019798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010197AE
GetKeyState.USER32(00000010), ref: 010197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010197E9
SendMessageW.USER32 ref: 01019810
SendMessageW.USER32(?,00001030,?,01017E95), ref: 01019918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0101992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01019941
SetCapture.USER32(?), ref: 0101994A
ClientToScreen.USER32(?,?), ref: 010199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010199D6
ReleaseCapture.USER32 ref: 010199E1
GetCursorPos.USER32(?), ref: 01019A19
ScreenToClient.USER32(?,?), ref: 01019A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01019A80
SendMessageW.USER32 ref: 01019AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01019AEB
SendMessageW.USER32 ref: 01019B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01019B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01019B4A
GetCursorPos.USER32(?), ref: 01019B68
ScreenToClient.USER32(?,?), ref: 01019B75
GetParent.USER32(?), ref: 01019B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01019BFA
SendMessageW.USER32 ref: 01019C2B
ClientToScreen.USER32(?,?), ref: 01019C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01019CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01019CDE
SendMessageW.USER32 ref: 01019D01
ClientToScreen.USER32(?,?), ref: 01019D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01019D82

Part of subcall function 00F99944: GetWindowLongW.USER32(?,000000EB), ref: 00F99952

GetWindowLongW.USER32(?,000000F0), ref: 01019E05

Strings

@GUI_DRAGID, xrefs: 0101997D
F, xrefs: 01019D07

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 79789d8b52c73b9d20af4f5ca74c82b59099b35047876a0d8a8972f4ac4bcea0
Instruction ID: f1f004d9c3f4dede7e08de20b2a6df452b2b9001c541dd746c8e1ee9929d84cf
Opcode Fuzzy Hash: 79789d8b52c73b9d20af4f5ca74c82b59099b35047876a0d8a8972f4ac4bcea0
Instruction Fuzzy Hash: 67429E74204201EFE725CF28C954BAABBE5FF8D318F040A59F6D9872A9D739E850CB51

Function 01014873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01014908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01014927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0101494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0101495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0101497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01014A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01014A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01014A7E
IsMenu.USER32(?), ref: 01014A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01014AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01014B20
GetWindowLongW.USER32(?,000000F0), ref: 01014B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01014BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01014C82
wsprintfW.USER32 ref: 01014CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01014CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01014CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01014D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01014D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01014D5A

Strings

%d/%02d/%02d, xrefs: 01014CA8

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 525859d3d86b78febbdd36e163be6fe0dff3fd1ce18946bc789072aca42c0fed
Instruction ID: 2141afe8a7c5a7c9884f9266afdf2c5f798eb87d177e64b4c345c466460d498f
Opcode Fuzzy Hash: 525859d3d86b78febbdd36e163be6fe0dff3fd1ce18946bc789072aca42c0fed
Instruction Fuzzy Hash: 9212FE71600214ABFB259F28CC49FAE7BF8EF49310F044169F596EB2A9DB7C9940CB50

Function 00F9F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F9F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FDF474
IsIconic.USER32(00000000), ref: 00FDF47D
ShowWindow.USER32(00000000,00000009), ref: 00FDF48A
SetForegroundWindow.USER32(00000000), ref: 00FDF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FDF4AA
GetCurrentThreadId.KERNEL32 ref: 00FDF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FDF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FDF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FDF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00FDF4DE
SetForegroundWindow.USER32(00000000), ref: 00FDF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDF4F6
keybd_event.USER32(00000012,00000000), ref: 00FDF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDF50B
keybd_event.USER32(00000012,00000000), ref: 00FDF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDF519
keybd_event.USER32(00000012,00000000), ref: 00FDF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDF528
keybd_event.USER32(00000012,00000000), ref: 00FDF52D
SetForegroundWindow.USER32(00000000), ref: 00FDF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00FDF557

Strings

Shell_TrayWnd, xrefs: 00FDF46F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 80a6a2413b1192965df89e4d55fe0b57a36f6b4f241db460f8dcb5d1228664b0
Instruction ID: c0f38487ef9cfa0e8ed56893209b0680c08c56b3d943799413d69386ddf89f3d
Opcode Fuzzy Hash: 80a6a2413b1192965df89e4d55fe0b57a36f6b4f241db460f8dcb5d1228664b0
Instruction Fuzzy Hash: F9316371A80318BBFB316BB55D4AFBF7E6DEB44B50F140426FA01E61C1C6B99D00AB60

Function 00FE1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00FE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE170D
Part of subcall function 00FE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE173A
Part of subcall function 00FE16C3: GetLastError.KERNEL32 ref: 00FE174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00FE1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FE12A8
CloseHandle.KERNEL32(?), ref: 00FE12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FE12D1
GetProcessWindowStation.USER32 ref: 00FE12EA
SetProcessWindowStation.USER32(00000000), ref: 00FE12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FE1310

Part of subcall function 00FE10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FE11FC), ref: 00FE10D4
Part of subcall function 00FE10BF: CloseHandle.KERNEL32(?,?,00FE11FC), ref: 00FE10E9

Strings

, xrefs: 00FE125A
default, xrefs: 00FE130B
winsta0, xrefs: 00FE12CC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 5bb92cc3dae3cd833b9953f4888ab8cc7f079e0286ea00ee4a2aecbefa8fb4f5
Instruction ID: 7822606a9a59c617cf62c8e8993360185e70a375b05e706ef008e61dd2f23fb3
Opcode Fuzzy Hash: 5bb92cc3dae3cd833b9953f4888ab8cc7f079e0286ea00ee4a2aecbefa8fb4f5
Instruction Fuzzy Hash: 76819B71900288AFEF21DFA6DD49FEE7BB9FF09710F144029F910A6290C7799954DB20

Function 00FE0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE1114
Part of subcall function 00FE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1120
Part of subcall function 00FE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE112F
Part of subcall function 00FE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1136
Part of subcall function 00FE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FE0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FE0C00
GetLengthSid.ADVAPI32(?), ref: 00FE0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00FE0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FE0C6D
GetLengthSid.ADVAPI32(?), ref: 00FE0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FE0C8C
HeapAlloc.KERNEL32(00000000), ref: 00FE0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FE0CB4
CopySid.ADVAPI32(00000000), ref: 00FE0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FE0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FE0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FE0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0D45
HeapFree.KERNEL32(00000000), ref: 00FE0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0D55
HeapFree.KERNEL32(00000000), ref: 00FE0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0D65
HeapFree.KERNEL32(00000000), ref: 00FE0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FE0D78
HeapFree.KERNEL32(00000000), ref: 00FE0D7F

Part of subcall function 00FE1193: GetProcessHeap.KERNEL32(00000008,00FE0BB1,?,00000000,?,00FE0BB1,?), ref: 00FE11A1
Part of subcall function 00FE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FE0BB1,?), ref: 00FE11A8
Part of subcall function 00FE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FE0BB1,?), ref: 00FE11B7

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c114183ee01a1fc84ab71b7c8e915e946de487a93ce797539c9b27fdee4c588f
Instruction ID: 095ef7bd2f74d6a35f453689c1e72660a49af774a58b3e2375d69a5049692bc2
Opcode Fuzzy Hash: c114183ee01a1fc84ab71b7c8e915e946de487a93ce797539c9b27fdee4c588f
Instruction Fuzzy Hash: 3871AA72D0024AABEF20DFA6DD44FAEBBB8BF05310F144115F944A6180DBB9EA41DB60

Function 00FFEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0101CC08), ref: 00FFEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FFEB37
GetClipboardData.USER32(0000000D), ref: 00FFEB43
CloseClipboard.USER32 ref: 00FFEB4F
GlobalLock.KERNEL32(00000000), ref: 00FFEB87
CloseClipboard.USER32 ref: 00FFEB91
GlobalUnlock.KERNEL32(00000000), ref: 00FFEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00FFEBC9
GetClipboardData.USER32(00000001), ref: 00FFEBD1
GlobalLock.KERNEL32(00000000), ref: 00FFEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00FFEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FFEC38
GetClipboardData.USER32(0000000F), ref: 00FFEC44
GlobalLock.KERNEL32(00000000), ref: 00FFEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FFEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FFEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FFECD2
GlobalUnlock.KERNEL32(00000000), ref: 00FFECF3
CountClipboardFormats.USER32 ref: 00FFED14
CloseClipboard.USER32 ref: 00FFED59

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 8217df78b6c5c626e2281e3c1767ac2f54e4e38afaefd106410684651fd41b72
Instruction ID: b80b59059cfab0a9cb5accf5ab1790fd48a32f72e0c0b410639402a8ebf297c8
Opcode Fuzzy Hash: 8217df78b6c5c626e2281e3c1767ac2f54e4e38afaefd106410684651fd41b72
Instruction Fuzzy Hash: 3A6112342443069FE310EF64C884F7A77A4AF84714F04441DF686972B2CB3AED05EB62

Function 00FF698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FF69BE
FindClose.KERNEL32(00000000), ref: 00FF6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FF6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FF6A75

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FF6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FF6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FF6B6A
%02d, xrefs: 00FF6C00, 00FF6C0A, 00FF6C5A, 00FF6CAA, 00FF6CFA, 00FF6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FF6B32
%03d, xrefs: 00FF6DA2
%4d, xrefs: 00FF6BB1

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f04bf2753f9bd1a2f20253e43240214df209550da420017663f2dd86bb192642
Instruction ID: 9d8de147c66decd8a27181df1db58bfa53b5919109a5076cf5e25dc3a1215d75
Opcode Fuzzy Hash: f04bf2753f9bd1a2f20253e43240214df209550da420017663f2dd86bb192642
Instruction Fuzzy Hash: 69D15EB2508304ABC710EBA0CC81EBBB7E8AF99704F44491DF685D7151EB79DA48DB62

Function 00FF9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FF9663
GetFileAttributesW.KERNEL32(?), ref: 00FF96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00FF96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00FF96D3
FindClose.KERNEL32(00000000), ref: 00FF96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00FF96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF974A
SetCurrentDirectoryW.KERNEL32(01046B7C), ref: 00FF9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF9772
FindClose.KERNEL32(00000000), ref: 00FF977F
FindClose.KERNEL32(00000000), ref: 00FF978F

Strings

*.*, xrefs: 00FF96F5

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 108790fb4c47d913bc974738a01d276cab6f6f8d462324881c361b277d59955e
Instruction ID: 33b076069e0410ff33f18de72369e8e2e0d140a3c340f0d0621ef3a503d5f2f1
Opcode Fuzzy Hash: 108790fb4c47d913bc974738a01d276cab6f6f8d462324881c361b277d59955e
Instruction Fuzzy Hash: 8531F57294421D6BDF24AEB4DD48BEE37AC9F49331F104065FA54E20A0EBB9DE409B54

Function 00FF979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FF97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00FF9819
FindClose.KERNEL32(00000000), ref: 00FF9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00FF9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF9890
SetCurrentDirectoryW.KERNEL32(01046B7C), ref: 00FF98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF98B8
FindClose.KERNEL32(00000000), ref: 00FF98C5
FindClose.KERNEL32(00000000), ref: 00FF98D5

Part of subcall function 00FEDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FEDB00

Strings

*.*, xrefs: 00FF983B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b1bdd2bebdbbb6c727659bc1943ae2df7556d17cf48eb993e6542923ee25d67a
Instruction ID: 5ddc3185a55a1a01d492db5e3837e69969710523f48a2edb20f1bdfe29790969
Opcode Fuzzy Hash: b1bdd2bebdbbb6c727659bc1943ae2df7556d17cf48eb993e6542923ee25d67a
Instruction Fuzzy Hash: C331F87294421D6BEB20EEB5DC48BEE37AC9F46370F104165F954A20A0DBB9DE84DB50

Function 0100BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0100C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100B6AE,?,?), ref: 0100C9B5
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100C9F1
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA68
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0100BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0100BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0100C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0100C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0100C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0100C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0100C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0100C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0100C382
RegCloseKey.ADVAPI32(00000000), ref: 0100C38F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: c92f186f59a8a5a79e949e7be9e54f65e392c21d81edc2032632ab21cf08de2a
Instruction ID: 712fe86e239b14a436435566a8158458732b1f617467dd96596a611a70e33df1
Opcode Fuzzy Hash: c92f186f59a8a5a79e949e7be9e54f65e392c21d81edc2032632ab21cf08de2a
Instruction Fuzzy Hash: 2F027F706042009FE715DF28C995E2ABBE5EF49308F18C59DF88ACB2A2DB35ED45CB51

Function 00FF8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FF8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FF8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FF8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FF8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FF838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF8395

Strings

*.*, xrefs: 00FF839B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 39a4939ce043b01b4f047a017ec6c6599fdf109d9d907c338f6c18fb87a377b4
Instruction ID: 331dc158cfbd4b369ba4dded3fb780fd62264b92c7c17a5e3abd7ec47685a432
Opcode Fuzzy Hash: 39a4939ce043b01b4f047a017ec6c6599fdf109d9d907c338f6c18fb87a377b4
Instruction Fuzzy Hash: 73618CB25083099FD710EF60C8409AFB3E8FF89754F04491DFA8987261DB39E946DB92

Function 00FED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F83A97,?,?,00F82E7F,?,?,?,00000000), ref: 00F83AC2

Part of subcall function 00FEE199: GetFileAttributesW.KERNEL32(?,00FECF95), ref: 00FEE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00FED1DD
MoveFileW.KERNEL32(?,?), ref: 00FED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FED237

Part of subcall function 00FED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00FED21C,?,?), ref: 00FED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00FED253
FindClose.KERNEL32(00000000), ref: 00FED264

Strings

\*.*, xrefs: 00FED0CD, 00FED0D6, 00FED0EB

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: df3fbbbb8ee9a36aa71bb7e93a07a860189006870a5bb399a09bcf99a77b5ded
Instruction ID: f6b0a9522b046c44d20818828841207fa439455288b95eab0cb131f7df752341
Opcode Fuzzy Hash: df3fbbbb8ee9a36aa71bb7e93a07a860189006870a5bb399a09bcf99a77b5ded
Instruction Fuzzy Hash: EA615631C05149ABDF05EBE1CE929FDB7B9AF15300F244165E40277191EB39AF09EB61

Function 00FFED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FFED91
EmptyClipboard.USER32 ref: 00FFED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00FFEDAC
CloseClipboard.USER32 ref: 00FFEEA3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 36db50d4ce16a2daa6abccec85616ade9448784e54b508ea8f0e43e77a1932c8
Instruction ID: 0bea8ada9971136d488faaae341e181fe3f3f9122cf06b632932f4645b856971
Opcode Fuzzy Hash: 36db50d4ce16a2daa6abccec85616ade9448784e54b508ea8f0e43e77a1932c8
Instruction Fuzzy Hash: 7D41C135604211AFE320DF15E448B69BBE1FF44328F15C499E5998B672C73AFC41DB90

Function 00FEE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE170D
Part of subcall function 00FE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE173A
Part of subcall function 00FE16C3: GetLastError.KERNEL32 ref: 00FE174A

ExitWindowsEx.USER32(?,00000000), ref: 00FEE932

Strings

, xrefs: 00FEE95C
SeShutdownPrivilege, xrefs: 00FEE902
@, xrefs: 00FEE925
, xrefs: 00FEE920

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 6a7e9f8ae7cb9e5b75593a871e48feba9cc8ec401e5d1cd529d1efa307ad9b63
Instruction ID: 8fd5c4e51abb982f0b489b816c1602998146c71bdd324d409f63a50a3a38bd20
Opcode Fuzzy Hash: 6a7e9f8ae7cb9e5b75593a871e48feba9cc8ec401e5d1cd529d1efa307ad9b63
Instruction Fuzzy Hash: 20012673A10251ABFB2466B7BC86FBF729CA714750F140421F803E71C3E6A99C44A2A0

Function 01001204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01001276
WSAGetLastError.WSOCK32 ref: 01001283
bind.WSOCK32(00000000,?,00000010), ref: 010012BA
WSAGetLastError.WSOCK32 ref: 010012C5
closesocket.WSOCK32(00000000), ref: 010012F4
listen.WSOCK32(00000000,00000005), ref: 01001303
WSAGetLastError.WSOCK32 ref: 0100130D
closesocket.WSOCK32(00000000), ref: 0100133C

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 29dfcb2c66ab28ba7f356da492fec83c4bf3d00c165141c311ea17c46a9f87c0
Instruction ID: be08931626b3d6221c4973d68b248d083a5d4976e61c0d56e600f1a92eceade6
Opcode Fuzzy Hash: 29dfcb2c66ab28ba7f356da492fec83c4bf3d00c165141c311ea17c46a9f87c0
Instruction Fuzzy Hash: AB4193716001009FE721DF68C5C4B69BBE6BF46328F188198E9968F2D6C775EC81CBE1

Function 00FBB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FBB9D4
_free.LIBCMT ref: 00FBB9F8
_free.LIBCMT ref: 00FBBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01023700), ref: 00FBBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0105121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00FBBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01051270,000000FF,?,0000003F,00000000,?), ref: 00FBBC36
_free.LIBCMT ref: 00FBBD4B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 5b330eac7b943fdf0f1be95d84ba2169c986b3608fe180ea48414edf7a84d1a5
Instruction ID: 6535c77eff686746b876fd563d8ba682eee9f6f8bc8b101bab57b03cc592e85c
Opcode Fuzzy Hash: 5b330eac7b943fdf0f1be95d84ba2169c986b3608fe180ea48414edf7a84d1a5
Instruction Fuzzy Hash: 96C11671D04204AFDB20DF6A8C41BEA7BB8EF45360F18419AE894D7245EBB99E41EF50

Function 00FED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F83A97,?,?,00F82E7F,?,?,?,00000000), ref: 00F83AC2

Part of subcall function 00FEE199: GetFileAttributesW.KERNEL32(?,00FECF95), ref: 00FEE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FED481
FindClose.KERNEL32(00000000), ref: 00FED498
FindClose.KERNEL32(00000000), ref: 00FED4A1

Strings

\*.*, xrefs: 00FED3F2

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4a3295960f439e27241fc4a3ef4dc7a482698b1f296fe96ee1490196ceb8b50f
Instruction ID: a2e6e954b4c15d7ba0c7005597947ae1563753be8789da84c3025dcda4b0b044
Opcode Fuzzy Hash: 4a3295960f439e27241fc4a3ef4dc7a482698b1f296fe96ee1490196ceb8b50f
Instruction Fuzzy Hash: 8F319C7140C3819BD315FF60CC918EFB7A8AEA1314F444A1EF4D592191EB29EA09EB63

Function 00FBE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FBE645

Strings

1#IND, xrefs: 00FBF83D
1#QNAN, xrefs: 00FBF84B
1#INF, xrefs: 00FBF852
1#SNAN, xrefs: 00FBF844

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e7f23c3e1a17e2384c0b954b7f8098cae8f5ac4f1f7dd1887de0f86c6e063253
Instruction ID: 56c1d86500d01dc25ba68757f0f06af223031b88e0c9c353394ff418435dad7b
Opcode Fuzzy Hash: e7f23c3e1a17e2384c0b954b7f8098cae8f5ac4f1f7dd1887de0f86c6e063253
Instruction Fuzzy Hash: 47C26D72E046288FDB25CF29DD407EAB7B5EB49314F1441EAD84DE7240E778AE85AF40

Function 00FF648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FF64DC
CoInitialize.OLE32(00000000), ref: 00FF6639
CoCreateInstance.OLE32(0101FCF8,00000000,00000001,0101FB68,?), ref: 00FF6650
CoUninitialize.OLE32 ref: 00FF68D4

Strings

.lnk, xrefs: 00FF64BA, 00FF6524, 00FF65E0

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 80776119f69e38a5578ab1b180ccb483f94575dab0e592536c587436f633140b
Instruction ID: 9f10a3ed2b95f4f2c6f0a0687d6519a986adf32a04db5fa09e3492ef685a793b
Opcode Fuzzy Hash: 80776119f69e38a5578ab1b180ccb483f94575dab0e592536c587436f633140b
Instruction Fuzzy Hash: ADD16A715083059FD304EF24C881AABB7E8FF94304F14491DF595DB2A1EB75E909CBA2

Function 00FF9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FF9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FF9C8B

Part of subcall function 00FF3874: GetInputState.USER32 ref: 00FF38CB
Part of subcall function 00FF3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FF3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FF9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FF9C75

Strings

*.*, xrefs: 00FF9B5D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 51e7e13adbc35db87c6b745c553023c3638b528c593b0c6a37e7a3ba7db31aa0
Instruction ID: 5613db3ce1f8a5f54da6bd23340f4c29164c472718e8a05245090a8270ef3371
Opcode Fuzzy Hash: 51e7e13adbc35db87c6b745c553023c3638b528c593b0c6a37e7a3ba7db31aa0
Instruction Fuzzy Hash: DA41BE71D4820E9BDF14EF64C985BEE7BB4EF05310F104055E505A21A0EB759E84DF60

Function 00F9997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F99A4E
GetSysColor.USER32(0000000F), ref: 00F99B23
SetBkColor.GDI32(?,00000000), ref: 00F99B36

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0b9065a93d1816b62cbeb66104d74e17d682a8742acc8f10180e5a8bcd648abc
Instruction ID: 9103645620ce5b9e871f63adb665c41f67720cecfb10b7eeeeabc43f7af46f98
Opcode Fuzzy Hash: 0b9065a93d1816b62cbeb66104d74e17d682a8742acc8f10180e5a8bcd648abc
Instruction Fuzzy Hash: 3DA1FA7150C604AFFB34AA2C8C58FBB365EDB86360B1A410EF541CA695DA6EDD01F372

Function 01001806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0100304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0100307A
Part of subcall function 0100304E: _wcslen.LIBCMT ref: 0100309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0100185D
WSAGetLastError.WSOCK32 ref: 01001884
bind.WSOCK32(00000000,?,00000010), ref: 010018DB
WSAGetLastError.WSOCK32 ref: 010018E6
closesocket.WSOCK32(00000000), ref: 01001915

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 31b768694c71a35524b1f689e87990d00b49a7fe24946bdf90be81873cc37790
Instruction ID: f203eb763a0288c535512a773453be9bb5327879befd5a257cd6e3e32f733837
Opcode Fuzzy Hash: 31b768694c71a35524b1f689e87990d00b49a7fe24946bdf90be81873cc37790
Instruction Fuzzy Hash: 89519571A00200AFEB11EF28C886F6A77E5AF44718F088098FA559F3C3C779ED4187A1

Function 01011C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01011CC0
IsWindowEnabled.USER32 ref: 01011CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01011CDB
IsIconic.USER32 ref: 01011CE9
IsZoomed.USER32 ref: 01011CF7

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0317c1784c6b5e2f6fa04e89c234bd7b9244cef1035d243a56ec4b250ed88ea5
Instruction ID: 95079b010ed8a66e5bf647284397b15586c10667554cce975b28c165d72ce5e7
Opcode Fuzzy Hash: 0317c1784c6b5e2f6fa04e89c234bd7b9244cef1035d243a56ec4b250ed88ea5
Instruction Fuzzy Hash: 0D21D6317402055FE7249F2AD844B5A7BE5EF85314F188098E9C58B349CB7AD842CB90

Function 00F88060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F8843C
VUUU, xrefs: 00F883E8
VUUU, xrefs: 00F883FA
ERCP, xrefs: 00F8813C
VUUU, xrefs: 00FC5DF0

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 641cac1e1c5ee8a50196abd5a921a55444231b63ab78daf497d90142825a77c6
Instruction ID: d89dc3d1044fa1ca9e301385f14992cdaf946413bbb31922715091d28a106e2e
Opcode Fuzzy Hash: 641cac1e1c5ee8a50196abd5a921a55444231b63ab78daf497d90142825a77c6
Instruction Fuzzy Hash: 25A2A071E0421ACBDF24DF58C941BEDB7B1BF44760F6481A9D815AB284EB309D82EF90

Function 00FEAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00FEAAAC
SetKeyboardState.USER32(00000080), ref: 00FEAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00FEAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00FEAB88

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1d566e63cf73b40f0029a10bab0e43a6959d68520312011f114e6cf8d0c66ead
Instruction ID: d0d75afd907344d5e93e8c032a3c3d9c6f0d45767b6f753e21409622d03281b6
Opcode Fuzzy Hash: 1d566e63cf73b40f0029a10bab0e43a6959d68520312011f114e6cf8d0c66ead
Instruction Fuzzy Hash: 13314C30E40788AEFF31CA66CC05BFA77A7ABD4320F04421AF181961D1D379A985E762

Function 00FFCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FFCE89
GetLastError.KERNEL32(?,00000000), ref: 00FFCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00FFCEFE

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4a40dfcff6e69c7d8d59dde08d108ea58c161fd0a999a27e145b9b71eab3afc0
Instruction ID: da63ef188d640900a0872a5926e4d428025bcfb437cf65d8e850305bf6ad5847
Opcode Fuzzy Hash: 4a40dfcff6e69c7d8d59dde08d108ea58c161fd0a999a27e145b9b71eab3afc0
Instruction Fuzzy Hash: EB21B0B194031D9BE730CFA5CA44BB6B7F8EF40364F10441EE646D2161E779EE04ABA0

Function 00FE8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FE82AA

Strings

|, xrefs: 00FE82DA
(, xrefs: 00FE82F0

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 6224d42ac77967f5481448e1c06a2edaa5f864fc5ac5b7acfdb3ff7d57c46ab7
Instruction ID: b4dc651ff13669e8b634df90736a7390035862c7ea75e6caecfa3ea9120fe890
Opcode Fuzzy Hash: 6224d42ac77967f5481448e1c06a2edaa5f864fc5ac5b7acfdb3ff7d57c46ab7
Instruction Fuzzy Hash: 19324775A007459FCB28DF59C480A6AB7F0FF48760B15C46EE49ADB3A1EB70E942DB40

Function 00FF5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FF5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00FF5D17
FindClose.KERNEL32(?), ref: 00FF5D5F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 78dab110f6b76f6b030cb3eecaa218ea8a86f8d7f1604d424ea49d3055218ac4
Instruction ID: 7b895b9643592f75649051f3b2ded59260384c0cccc8e6140959963dca4ae3ee
Opcode Fuzzy Hash: 78dab110f6b76f6b030cb3eecaa218ea8a86f8d7f1604d424ea49d3055218ac4
Instruction Fuzzy Hash: FD51CC74A046059FD714DF28C884EAAB7E4FF49324F14855DEA9A8B3A1CB34EC04DBA1

Function 00FB2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00FB271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FB2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00FB2731

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 13e8f4d17cb920f90993846203afdcbe2895cedbf231cdb36cf668357aa2b04e
Instruction ID: e09a0f15edf20fd56f8c19a61f9dcc2fbc8196898090778de3d7713b5064a1e3
Opcode Fuzzy Hash: 13e8f4d17cb920f90993846203afdcbe2895cedbf231cdb36cf668357aa2b04e
Instruction Fuzzy Hash: AA31D5749412189BCB61DF68DD887DCB7B8AF08310F5041EAE41CA7260EB389F819F44

Function 00FF51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FF51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FF5238
SetErrorMode.KERNEL32(00000000), ref: 00FF52A1

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6db8e17a659eaeb628c962cd7a604aeb53e51643bf2f83b1adcb3e90e2af94f6
Instruction ID: f6dcbdc0b686f2825e760c6f69607ada916084d856cbb2991b2f616ecbd55ca1
Opcode Fuzzy Hash: 6db8e17a659eaeb628c962cd7a604aeb53e51643bf2f83b1adcb3e90e2af94f6
Instruction Fuzzy Hash: 21317C75A00508DFDB00EF54D884EADBBB4FF09318F088099E945AB366CB36E845DBA0

Function 00FE16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FA0668
Part of subcall function 00F9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FA0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE173A
GetLastError.KERNEL32 ref: 00FE174A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: abf8e77e31c19640b2f014e1e0360ae23761383fe77f0f899dc8d6fdb9a7fdf2
Instruction ID: 0de1eca9048ca2dd535cd65c08c03f22a326566040876521247e31f9f3c46d65
Opcode Fuzzy Hash: abf8e77e31c19640b2f014e1e0360ae23761383fe77f0f899dc8d6fdb9a7fdf2
Instruction Fuzzy Hash: 9711C1B2410304AFE7289F55DC86D6AB7B9FB44714B20852EF05697241EB74FC45CB20

Function 00FED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00FED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FED650

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 8f892b139236003c66182384ccd061bb829d80c472532a7573832a8bfe0c848c
Instruction ID: 3fb616359afde7194fdba0a1b1ef60d9541c1d1137ad704aeba2127fe2f05073
Opcode Fuzzy Hash: 8f892b139236003c66182384ccd061bb829d80c472532a7573832a8bfe0c848c
Instruction Fuzzy Hash: 4E118E71E41228BFEB208F95DC44FAFBBBCEB45B60F108111F914E7280C2744A018BA1

Function 00FE1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FE168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FE16A1
FreeSid.ADVAPI32(?), ref: 00FE16B1

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b002b257f0940228bd0430cf250c0cf0b9c2bbc94ab7d9e2c9b3b916bbcf7274
Instruction ID: 72a167002108dd58ef546c54b4a8d5ed403749ffe4ed4a1cb9886f5bd2aeadc0
Opcode Fuzzy Hash: b002b257f0940228bd0430cf250c0cf0b9c2bbc94ab7d9e2c9b3b916bbcf7274
Instruction Fuzzy Hash: CFF0F471990309BBEB10DFE49989EAEBBBCFB08604F504565E501E2181E779EA449B50

Function 00FBC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00FBC36C

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 710280c23ed95c60372dd41a5140e37c3e2818149edba69225372673297e6ee3
Instruction ID: 812a05c16062e9317dcf2672ff04def296f1aeeb45f4eee693f2edea221a61cb
Opcode Fuzzy Hash: 710280c23ed95c60372dd41a5140e37c3e2818149edba69225372673297e6ee3
Instruction Fuzzy Hash: 1C412976900219AFCB20DFBACC89EFB77B8EB84314F544269F905D7180E6719E819F90

Function 00FEE3B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FEE3ED

Strings

DOWN, xrefs: 00FEE3D2

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 614b21e141481e3681356a749ec7a46f787dbe2fec23898701cbad001974ea7e
Instruction ID: 47245b5fdb0449533cb0dd222d2b0f75744e851cf64f0c5242f682fecc63457f
Opcode Fuzzy Hash: 614b21e141481e3681356a749ec7a46f787dbe2fec23898701cbad001974ea7e
Instruction Fuzzy Hash: 5DE086A2ADC7213DB92414167C06DF6174CCB12235B11121AF8409A0C0DE985C81B168

Function 00FDD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00FDD28C

Strings

X64, xrefs: 00FDD2A8

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d1f17499b4ce001367d8f3606767d13579e97ac17f8cc11d50981b8df7c19178
Instruction ID: 9b78ce9e738f26aba207ca0170177be806af13cbcd57b0b88bf1411293544aee
Opcode Fuzzy Hash: d1f17499b4ce001367d8f3606767d13579e97ac17f8cc11d50981b8df7c19178
Instruction Fuzzy Hash: 89D0C9B580111DEADF94CA90D888ED9B37CBB04345F100152F146A2100D73495489F10

Function 00FACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 7a60ae0b20a1f8a43d8d1f57a2acb9f4993804403e14513e7dce5f1c7fc49723
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 11021CB2E002199FDF14CFA9C9806ADFBF1EF49324F254169D919E7380D731A9419BD4

Function 00FF68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FF6918
FindClose.KERNEL32(00000000), ref: 00FF6961

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7c07a526c52888b8c67124f56c5a9b000985fa968578ddff8c82727136a12bce
Instruction ID: 2a2a29c89dadf045f18d1bb1b6962fd72db6d10b194d883923da96e2acbbaf4d
Opcode Fuzzy Hash: 7c07a526c52888b8c67124f56c5a9b000985fa968578ddff8c82727136a12bce
Instruction Fuzzy Hash: 9911D0316042009FD720DF29D885A26BBE0FF84328F14C699F5698F2A2CB74EC05CBA0

Function 00FF37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01004891,?,?,00000035,?), ref: 00FF37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01004891,?,?,00000035,?), ref: 00FF37F4

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6d0328797abfcd395174a652e1254fa2f386b4166fa5bd54d8b4d63121c44525
Instruction ID: 254d594ef1ab17731f98d7b98d1146db81ee6937b535566103b569819a4ca6d4
Opcode Fuzzy Hash: 6d0328797abfcd395174a652e1254fa2f386b4166fa5bd54d8b4d63121c44525
Instruction Fuzzy Hash: 45F0E5B1A082292AE72026669D4DFEB3AAEEFC5761F000165F609D2285D9A89944D7B0

Function 00FEB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FEB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00FEB270

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: e459d9e0c9ce4bb276d7bb7d1caf165877304c247ae059cdd50835f2fcb146a8
Instruction ID: cd0bce7a0c9bd1f69ef8da148716c7774603da7f3e6e2b3efab38527ae99ba19
Opcode Fuzzy Hash: e459d9e0c9ce4bb276d7bb7d1caf165877304c247ae059cdd50835f2fcb146a8
Instruction Fuzzy Hash: 09F01D7184428DABEB169FA1C805BAE7BB4FF04315F008009F955A5195C37DC6119F94

Function 00FE10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FE11FC), ref: 00FE10D4
CloseHandle.KERNEL32(?,?,00FE11FC), ref: 00FE10E9

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 805f029cd14ac848d649db45d8179876e171f051bbe91b617001cd4e4e27f204
Instruction ID: 86ccd352f7a9a5764b14497cd39ef491aa4048153848d1f6d33b5ce52e9564a1
Opcode Fuzzy Hash: 805f029cd14ac848d649db45d8179876e171f051bbe91b617001cd4e4e27f204
Instruction Fuzzy Hash: A0E04F32004610AFFB352B11FC05E7377A9FB04320B20882EF5A5804B5DB66AC90EB10

Function 00F8CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00FD0C40

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 1c42a8772bdd302da0ecd828956454cf9b75065cbd660a3077581472dbc44423
Instruction ID: 412f2497cd9b662bf61fde28fe38a52ee5652b42844d2a339f4a5f738095e094
Opcode Fuzzy Hash: 1c42a8772bdd302da0ecd828956454cf9b75065cbd660a3077581472dbc44423
Instruction Fuzzy Hash: A0329D31D00218DBDF14EF90D881BEDB7B6FF05318F14805AE906AB292DB75AD45EBA0

Function 00FB676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FB6766,?,?,00000008,?,?,00FBFEFE,00000000), ref: 00FB6998

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e2a4e6a4811c37bde8ec7841697a0aa3d42abf74d73757593f7ff4b1242e4ca2
Instruction ID: d576bbe58957bd3a3f4180470d625df3fa9b551514cb15cef0c66948dfbe0922
Opcode Fuzzy Hash: e2a4e6a4811c37bde8ec7841697a0aa3d42abf74d73757593f7ff4b1242e4ca2
Instruction Fuzzy Hash: C2B15E32510608DFDB15CF29C486BA57BE0FF45364F258658E899CF2A1C739D991DF40

Function 00F9B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00FD851F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8c1e9e21c3fad749d90d774351f82a031dd20f29cb1c5e7d1270256d15f1b068
Instruction ID: 1e448f7fe35604c6953696ad406f16d4d7fc6a884f32f570d404c57a74c1254a
Opcode Fuzzy Hash: 8c1e9e21c3fad749d90d774351f82a031dd20f29cb1c5e7d1270256d15f1b068
Instruction Fuzzy Hash: 29125F71D00229DBDF24CF58D980BEEB7B5FF48710F14819AE849EB255DB349A81EB90

Function 00FFEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FFEABD

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 674b2da9009484c91348af48db0175b50404e69be54b510c90a3c5336eebde63
Instruction ID: a849259927ecbc294154d6052b48320138b84b56d91c8dba8a978de1a83b9baf
Opcode Fuzzy Hash: 674b2da9009484c91348af48db0175b50404e69be54b510c90a3c5336eebde63
Instruction Fuzzy Hash: BCE01A362002049FD710EF59D805E9ABBE9AF98760F008416FD49CB261DA78E8409BA0

Function 00FA09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FA03EE), ref: 00FA09DA

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 702660381c778d05a6925f4c47be082436245cb033f834f97747699164d38d57
Instruction ID: 31cb92f8c27e24675404162748067ef43fdd5845c7908fc109fb7a44253bd877
Opcode Fuzzy Hash: 702660381c778d05a6925f4c47be082436245cb033f834f97747699164d38d57
Instruction Fuzzy Hash:

Function 00FA781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00FA798B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: c66f7cbdd7fc692f455a6bfac746c8fcb71b60fa72ceea602b0b71353f998568
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: A3516AF2E0C7055BDB3875288C59FBF63999B07360F28051AD886D7292C61DEE06F356

Function 00FB6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac993dc1e221aa90a778f8bd1e94950e990fd68d3f867b838c9a101e9b2207e
Instruction ID: 3b98d3087681ad460155f4f6edffe3d1d88771add9858a3411efef33d6e17966
Opcode Fuzzy Hash: 9ac993dc1e221aa90a778f8bd1e94950e990fd68d3f867b838c9a101e9b2207e
Instruction Fuzzy Hash: F7322432D29F014DDB33A935D822335A249AFF73D5F25C737E81AB5999EB29C4835600

Function 00F9CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36937607f85b60196a24471167e746cae88623c65a676714dc4736f731d098f7
Instruction ID: bc77a09bc449cd9654e520a17f6b1e38d21c0bdc1ccd75b858d91562f8531175
Opcode Fuzzy Hash: 36937607f85b60196a24471167e746cae88623c65a676714dc4736f731d098f7
Instruction Fuzzy Hash: 3732F332E401968BDF28CA68C4A067D7BA3EB45320F2C856BD599CB391D634DD81FBC1

Function 00F87920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d88f57a5c4df73afdd7dbfa9a9644dd3934c4c738f34e265c4e1497dbf21f1
Instruction ID: a4a13bc14213c1ad9e30840d8df09f84face63445d7ff1cc1e416fdd7440641a
Opcode Fuzzy Hash: 07d88f57a5c4df73afdd7dbfa9a9644dd3934c4c738f34e265c4e1497dbf21f1
Instruction Fuzzy Hash: 7822C371E046069FDF14EF64C982BEEB3B2FF44710F244529E412A7291EB39E954EB50

Function 00F891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66112af5ba15ee392eab778c7db55a22c1ce4bb8422d5bbb6eb011beaf54d1c1
Instruction ID: b1a4a311908f7fe4f5015867a88634f01f61ca8f5c3678dc452178223022b5ab
Opcode Fuzzy Hash: 66112af5ba15ee392eab778c7db55a22c1ce4bb8422d5bbb6eb011beaf54d1c1
Instruction Fuzzy Hash: F502B4B1E0020AEFDF04DF54D982BADB7B5FF44310F148169E806DB290EB75AA14EB90

Function 00FB9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51974facc6f0d4a5ea25844b84f97a525630be8c627f31f6eb1002033747bb00
Instruction ID: d6865742c0e31a6fa3ee4de6cb9109000e776e57e6cc8c997965b99341b8ba30
Opcode Fuzzy Hash: 51974facc6f0d4a5ea25844b84f97a525630be8c627f31f6eb1002033747bb00
Instruction Fuzzy Hash: 60B1C030D2AF414DD23399398831336B65CBFBB6D5B61D71BFC5678E16EB2A86834240

Function 00FA1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: abafc24050dff839ba82b4c992d9d941e4e271ed4cb194cf8f8ea8a224f92bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 709157B3A080A34ADB29463E857417EFFE16A933B1B1B079DD4F2CA1C5FE149954F620

Function 00FA1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 3f49149e82872058a92001ecd13c079826a60d67d8578eda1025abe0979e55c7
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 289140B3B090E34EDB69423D847413EFEE15A933B171A079EE4F2CA1C5EE249954F620

Function 00FA19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: ce235549ba842d97c2ec1a79c477339449aa64190c5aaad957f4923ecf2ea51e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AD9133B36090A34ADB2D467A857407EFFE16A933B2B1B079DD4F2CA1C1FD249564F620

Function 00FA7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656995fe169c6323ff525deab172c3cc3723d1fb059c0b0aeadb54d41a8f9320
Instruction ID: 4e52876af143589545f4fe2f75fbb5275d5430eb05b231494ef57fe794d75ac4
Opcode Fuzzy Hash: 656995fe169c6323ff525deab172c3cc3723d1fb059c0b0aeadb54d41a8f9320
Instruction Fuzzy Hash: FB617BF2A0870566DA34B9288C95FBF3394DFC37A0F140919E843CB295D6599E43B375

Function 00FA7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fbe123ac5ffe00c81f1b26ae672df4e33bf97ca9926a2296e5438308d97725
Instruction ID: 4ccea432dd4e350a13c1588ca185da183eb0e050613c9bcf6e103e473a082bf0
Opcode Fuzzy Hash: 97fbe123ac5ffe00c81f1b26ae672df4e33bf97ca9926a2296e5438308d97725
Instruction Fuzzy Hash: 21618AF2E0870956DE387A288C95FBF3394DF43760F140959E843CB281EA56AD43B355

Function 00FA1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 205dd7e31516e186091ed47271694cc52ec3efd0ab19197057909137682c90bd
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8D8142B3A090A349EB6D463A857443EFFE17A933B1B1B079DD4F2CA1C1EE249554F620

Function 00FF2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad8c0025952217aecad313947fbbde9dc1ad2eb8d601f4c0dda9a7ae2ef498e
Instruction ID: 91d0a7c62c3d1bf936cd833e540e78c0ef69274358b90d5868ec2057073c9d87
Opcode Fuzzy Hash: 1ad8c0025952217aecad313947fbbde9dc1ad2eb8d601f4c0dda9a7ae2ef498e
Instruction Fuzzy Hash: AA21BB326206158BDB28CE79C81367E73D5AB54320F158A2EE4A7C37D4DE3AA904D750

Function 01002ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01002B30
DeleteObject.GDI32(00000000), ref: 01002B43
DestroyWindow.USER32 ref: 01002B52
GetDesktopWindow.USER32 ref: 01002B6D
GetWindowRect.USER32(00000000), ref: 01002B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01002CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01002CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002CF8
GetClientRect.USER32(00000000,?), ref: 01002D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01002D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002D80
GlobalLock.KERNEL32(00000000), ref: 01002D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002D98
GlobalUnlock.KERNEL32(00000000), ref: 01002DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002DA8
GlobalFree.KERNEL32(00000000), ref: 01002DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0101FC38,00000000), ref: 01002DDB
GlobalFree.KERNEL32(00000000), ref: 01002DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01002E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01002E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01002E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100303F

Strings

static, xrefs: 01002D3A, 01002E91
, xrefs: 01002FC5
AutoIt v3, xrefs: 01002CF2
DISPLAY, xrefs: 01002EA2

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 7d55f66443aea02a1ada10df3c92ebc842008ca9d29e79bbd6b161d0d9face53
Instruction ID: adf26564899b51625d28e6526a24d60cc0c4acab7ca36921703ed96271b0aba1
Opcode Fuzzy Hash: 7d55f66443aea02a1ada10df3c92ebc842008ca9d29e79bbd6b161d0d9face53
Instruction Fuzzy Hash: A602BD71500208AFEB25DFA4CD88EAE7BB9FF49710F048158F955AB295CB39ED00CB60

Function 010170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0101712F
GetSysColorBrush.USER32(0000000F), ref: 01017160
GetSysColor.USER32(0000000F), ref: 0101716C
SetBkColor.GDI32(?,000000FF), ref: 01017186
SelectObject.GDI32(?,?), ref: 01017195
InflateRect.USER32(?,000000FF,000000FF), ref: 010171C0
GetSysColor.USER32(00000010), ref: 010171C8
CreateSolidBrush.GDI32(00000000), ref: 010171CF
FrameRect.USER32(?,?,00000000), ref: 010171DE
DeleteObject.GDI32(00000000), ref: 010171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01017230
FillRect.USER32(?,?,?), ref: 01017262
GetWindowLongW.USER32(?,000000F0), ref: 01017284

Part of subcall function 010173E8: GetSysColor.USER32(00000012), ref: 01017421
Part of subcall function 010173E8: SetTextColor.GDI32(?,?), ref: 01017425
Part of subcall function 010173E8: GetSysColorBrush.USER32(0000000F), ref: 0101743B
Part of subcall function 010173E8: GetSysColor.USER32(0000000F), ref: 01017446
Part of subcall function 010173E8: GetSysColor.USER32(00000011), ref: 01017463
Part of subcall function 010173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01017471
Part of subcall function 010173E8: SelectObject.GDI32(?,00000000), ref: 01017482
Part of subcall function 010173E8: SetBkColor.GDI32(?,00000000), ref: 0101748B
Part of subcall function 010173E8: SelectObject.GDI32(?,?), ref: 01017498
Part of subcall function 010173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010174B7
Part of subcall function 010173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010174CE
Part of subcall function 010173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010174DB

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8c6f2290bea6386ed2925dadc76dff4a7d5f7cb12d23399144a207dc40ef50f2
Instruction ID: bff69af1a1d5cc5931ba2e95764cc3c4f9d8708b05ced2ffc3320629ca652309
Opcode Fuzzy Hash: 8c6f2290bea6386ed2925dadc76dff4a7d5f7cb12d23399144a207dc40ef50f2
Instruction Fuzzy Hash: 3AA1CF72048301EFEB219F64DD48A6B7BE9FB89320F100A19FAE2961D4D77ED944CB51

Function 00F98D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F98E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00FD6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FD6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FD6F43

Part of subcall function 00F98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F98BE8,?,00000000,?,?,?,?,00F98BBA,00000000,?), ref: 00F98FC5

SendMessageW.USER32(?,00001053), ref: 00FD6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FD6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00FD6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00FD6FB7

Strings

0, xrefs: 00FD6DCF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 461b47fd2a229ade27c8983ddf1ac136e3a04dd564d9703b6f840336e59457c1
Instruction ID: b081fce39fa6789b2eb75a40cac290f67a44843aa67506b1a2b5eec4699e8739
Opcode Fuzzy Hash: 461b47fd2a229ade27c8983ddf1ac136e3a04dd564d9703b6f840336e59457c1
Instruction Fuzzy Hash: 0212BF31A00201AFEB25DF14D954BAABBF6FB45320F18446AF495CB251CB3AEC52EB51

Function 01002711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0100273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0100286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01002900
GetClientRect.USER32(00000000,?), ref: 0100290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01002955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01002964
GetStockObject.GDI32(00000011), ref: 01002974
SelectObject.GDI32(00000000,00000000), ref: 01002978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01002988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01002991
DeleteDC.GDI32(00000000), ref: 0100299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 010029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01002A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01002A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 01002A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01002A77
GetStockObject.GDI32(00000011), ref: 01002A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01002A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01002A97

Strings

msctls_progress32, xrefs: 01002A13
static, xrefs: 0100294F, 01002A71
AutoIt v3, xrefs: 010028F8
DISPLAY, xrefs: 0100295A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e2205d60002c250bd1cfb2b04e8b28c4f8f9c4a0c951d0eb957f4e6fb6523a02
Instruction ID: 152541f5941568381e357b0bcd957203593696459d311c2c6e8b0ccabed7013c
Opcode Fuzzy Hash: e2205d60002c250bd1cfb2b04e8b28c4f8f9c4a0c951d0eb957f4e6fb6523a02
Instruction Fuzzy Hash: 84B17DB1A40205AFEB24DF68CD49FAE7BA9FB08710F008154F954EB2D1D778E940CB60

Function 00FF4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FF4AED
GetDriveTypeW.KERNEL32(?,0101CB68,?,\\.\,0101CC08), ref: 00FF4BCA
SetErrorMode.KERNEL32(00000000,0101CB68,?,\\.\,0101CC08), ref: 00FF4D36

Strings

SSA, xrefs: 00FF4CA6
1394, xrefs: 00FF4C9F
FileBackedVirtual, xrefs: 00FF4CEC
ATA, xrefs: 00FF4C98
SSD, xrefs: 00FF4C4A
ATAPI, xrefs: 00FF4C91
SATA, xrefs: 00FF4CD0
Unknown, xrefs: 00FF4BED, 00FF4C83
CDROM, xrefs: 00FF4BFB
\\.\, xrefs: 00FF4B3F
Virtual, xrefs: 00FF4CE5
PhysicalDrive, xrefs: 00FF4B76
Fixed, xrefs: 00FF4C09
Network, xrefs: 00FF4C02
MMC, xrefs: 00FF4CDE
iSCSI, xrefs: 00FF4CC2
Removable, xrefs: 00FF4C10, 00FF4C15
SAS, xrefs: 00FF4CC9
RAID, xrefs: 00FF4CBB
RAMDisk, xrefs: 00FF4BF4
SCSI, xrefs: 00FF4C8A
Fibre, xrefs: 00FF4CAD
USB, xrefs: 00FF4CB4

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c97351bfa9ccbe5454cce30532c4bf2ef8abb297124802883039a2e9516bb0cc
Instruction ID: ffb1e9ca2f959b379845e17633e4ac0f8420c506c521d2efcafc53553326907d
Opcode Fuzzy Hash: c97351bfa9ccbe5454cce30532c4bf2ef8abb297124802883039a2e9516bb0cc
Instruction Fuzzy Hash: F861F771A0520D9BCB04EF14CAC1ABE77A0AF45710B244029FA46AF671DB76FD81FB51

Function 010173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01017421
SetTextColor.GDI32(?,?), ref: 01017425
GetSysColorBrush.USER32(0000000F), ref: 0101743B
GetSysColor.USER32(0000000F), ref: 01017446
CreateSolidBrush.GDI32(?), ref: 0101744B
GetSysColor.USER32(00000011), ref: 01017463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01017471
SelectObject.GDI32(?,00000000), ref: 01017482
SetBkColor.GDI32(?,00000000), ref: 0101748B
SelectObject.GDI32(?,?), ref: 01017498
InflateRect.USER32(?,000000FF,000000FF), ref: 010174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0101752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01017554
InflateRect.USER32(?,000000FD,000000FD), ref: 01017572
DrawFocusRect.USER32(?,?), ref: 0101757D
GetSysColor.USER32(00000011), ref: 0101758E
SetTextColor.GDI32(?,00000000), ref: 01017596
DrawTextW.USER32(?,010170F5,000000FF,?,00000000), ref: 010175A8
SelectObject.GDI32(?,?), ref: 010175BF
DeleteObject.GDI32(?), ref: 010175CA
SelectObject.GDI32(?,?), ref: 010175D0
DeleteObject.GDI32(?), ref: 010175D5
SetTextColor.GDI32(?,?), ref: 010175DB
SetBkColor.GDI32(?,?), ref: 010175E5

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 275df215a13488331cc7d799febd7e36cf703cb57829ea56616ce8014d06de0d
Instruction ID: 3f2bffefdc2f66b45a0b26136f53c0bc2c88f5dd9c2be5b69ac761f63a1b6551
Opcode Fuzzy Hash: 275df215a13488331cc7d799febd7e36cf703cb57829ea56616ce8014d06de0d
Instruction Fuzzy Hash: 74618C72940218AFEF119FA8DD48EEEBFB9EB09320F144111FA51AB295D779D940CF90

Function 01010FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01011128
GetDesktopWindow.USER32 ref: 0101113D
GetWindowRect.USER32(00000000), ref: 01011144
GetWindowLongW.USER32(?,000000F0), ref: 01011199
DestroyWindow.USER32(?), ref: 010111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0101121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01011232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01011245
IsWindowVisible.USER32(00000000), ref: 010112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010112D0
GetWindowRect.USER32(00000000,?), ref: 010112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0101130E
GetMonitorInfoW.USER32(00000000,?), ref: 01011328
CopyRect.USER32(?,?), ref: 0101133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010113AA

Strings

(, xrefs: 0101131B
0, xrefs: 010110D3
tooltips_class32, xrefs: 010111E6

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 987d4b029e613c2c09eac3766ca99bd0d8a56f422bd86c3b45fb8d300af74c13
Instruction ID: 42471d42e4058eb82dd747ac902166f77c163ca0302c754a563b16e5c1fb48a3
Opcode Fuzzy Hash: 987d4b029e613c2c09eac3766ca99bd0d8a56f422bd86c3b45fb8d300af74c13
Instruction Fuzzy Hash: 16B1AE71608341AFD754DF64C984BAEBBE4FF88310F008958FAD99B295C779E844CB91

Function 01010241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010102E5
_wcslen.LIBCMT ref: 0101031F
_wcslen.LIBCMT ref: 01010389
_wcslen.LIBCMT ref: 010103F1
_wcslen.LIBCMT ref: 01010475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010104C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01010504

Part of subcall function 00F9F9F2: _wcslen.LIBCMT ref: 00F9F9FD

Part of subcall function 00FE223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FE2258
Part of subcall function 00FE223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FE228A

Strings

GETSELECTED, xrefs: 010105E1
SELECTINVERT, xrefs: 0101057E
GETTEXT, xrefs: 010103EC, 01010407
SELECT, xrefs: 01010548
SELECTCLEAR, xrefs: 0101052D
FINDITEM, xrefs: 01010627
DESELECT, xrefs: 0101059C
ISSELECTED, xrefs: 010104DD
VIEWCHANGE, xrefs: 01010675
SELECTALL, xrefs: 01010515
GETITEMCOUNT, xrefs: 01010316, 01010337
GETSUBITEMCOUNT, xrefs: 01010384, 0101039F
GETSELECTEDCOUNT, xrefs: 01010470, 0101048B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 2b658ef2372ffeea8c5b14a22a8539a0d0c5efd979ef7eaf10d6aed880d08345
Instruction ID: b2fc3d1246156de467d407f8014682246baafae3d75a07bccef37b5b2657433b
Opcode Fuzzy Hash: 2b658ef2372ffeea8c5b14a22a8539a0d0c5efd979ef7eaf10d6aed880d08345
Instruction Fuzzy Hash: ECE1C1712042018FD714EF28C99086FB7E5BFC8714B14899DF8D69B2AADB38ED85CB51

Function 00F98891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F98968
GetSystemMetrics.USER32(00000007), ref: 00F98970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F9899B
GetSystemMetrics.USER32(00000008), ref: 00F989A3
GetSystemMetrics.USER32(00000004), ref: 00F989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F98A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F98A3C
GetClientRect.USER32(00000000,000000FF), ref: 00F98A5A
GetStockObject.GDI32(00000011), ref: 00F98A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F98A81

Part of subcall function 00F9912D: GetCursorPos.USER32(?), ref: 00F99141
Part of subcall function 00F9912D: ScreenToClient.USER32(00000000,?), ref: 00F9915E
Part of subcall function 00F9912D: GetAsyncKeyState.USER32(00000001), ref: 00F99183
Part of subcall function 00F9912D: GetAsyncKeyState.USER32(00000002), ref: 00F9919D

SetTimer.USER32(00000000,00000000,00000028,00F990FC), ref: 00F98AA8

Strings

AutoIt v3 GUI, xrefs: 00F98A20

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9b5606c90d087dbf4f8dca7c7d49b1e15f536aca2b2a5f15510f3c7b532abd3f
Instruction ID: ab4bd4add2fc8d3296acb2069a38db65278c488dd4736a81bdc3901a94ecc1f4
Opcode Fuzzy Hash: 9b5606c90d087dbf4f8dca7c7d49b1e15f536aca2b2a5f15510f3c7b532abd3f
Instruction Fuzzy Hash: BBB19131A4020AAFEF24DF68C945BAE3BB5FB48314F14421AFA55E7284DB79D841DF50

Function 00FE0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE1114
Part of subcall function 00FE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1120
Part of subcall function 00FE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE112F
Part of subcall function 00FE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1136
Part of subcall function 00FE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FE0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FE0E29
GetLengthSid.ADVAPI32(?), ref: 00FE0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00FE0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FE0E96
GetLengthSid.ADVAPI32(?), ref: 00FE0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FE0EB5
HeapAlloc.KERNEL32(00000000), ref: 00FE0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FE0EDD
CopySid.ADVAPI32(00000000), ref: 00FE0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FE0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FE0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FE0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0F6E
HeapFree.KERNEL32(00000000), ref: 00FE0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0F7E
HeapFree.KERNEL32(00000000), ref: 00FE0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE0F8E
HeapFree.KERNEL32(00000000), ref: 00FE0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00FE0FA1
HeapFree.KERNEL32(00000000), ref: 00FE0FA8

Part of subcall function 00FE1193: GetProcessHeap.KERNEL32(00000008,00FE0BB1,?,00000000,?,00FE0BB1,?), ref: 00FE11A1
Part of subcall function 00FE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FE0BB1,?), ref: 00FE11A8
Part of subcall function 00FE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FE0BB1,?), ref: 00FE11B7

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4437686c38f13744723ae393aa37d86fc5d7954bcd5239cd28cb3762d5a1c251
Instruction ID: 35bde037181125af3993c6c5a8278aaec54557bb8c1f50b85e703b59cf709dfd
Opcode Fuzzy Hash: 4437686c38f13744723ae393aa37d86fc5d7954bcd5239cd28cb3762d5a1c251
Instruction Fuzzy Hash: F5718C72D0024AABEF209FA6DC44FAEBBB8FF05310F044125F959A6180DB79DE55DB60

Function 0100C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0101CC08,00000000,?,00000000,?,?), ref: 0100C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0100C5A4
_wcslen.LIBCMT ref: 0100C5F4
_wcslen.LIBCMT ref: 0100C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0100C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0100C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0100C84D
RegCloseKey.ADVAPI32(?), ref: 0100C881
RegCloseKey.ADVAPI32(00000000), ref: 0100C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0100C960

Strings

REG_MULTI_SZ, xrefs: 0100C6F5
REG_QWORD, xrefs: 0100C8C3
REG_BINARY, xrefs: 0100C913
REG_EXPAND_SZ, xrefs: 0100C5CD
REG_DWORD, xrefs: 0100C804
REG_SZ, xrefs: 0100C644

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 033bbbab00250927ae74bb07c447378719dc2cf5248bd08d01583e8376854728
Instruction ID: 3a1faaf423bb61ae3e113d02d198a5ec10bc7f75be56804a532071d345356599
Opcode Fuzzy Hash: 033bbbab00250927ae74bb07c447378719dc2cf5248bd08d01583e8376854728
Instruction Fuzzy Hash: 9812AD352042009FE715EF14C981B6AB7E5FF88314F18899CF98A9B3A2DB35ED41CB91

Function 0101091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010109C6
_wcslen.LIBCMT ref: 01010A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01010A54
_wcslen.LIBCMT ref: 01010A8A
_wcslen.LIBCMT ref: 01010B06
_wcslen.LIBCMT ref: 01010B81

Part of subcall function 00F9F9F2: _wcslen.LIBCMT ref: 00F9F9FD

Part of subcall function 00FE2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FE2BFA

Strings

CHECK, xrefs: 01010A85, 01010AA0
GETSELECTED, xrefs: 01010C4E
ISCHECKED, xrefs: 01010CE1
GETTEXT, xrefs: 01010C97
COLLAPSE, xrefs: 01010B01, 01010B1C
UNCHECK, xrefs: 01010D3E
GETTOTALCOUNT, xrefs: 010109F2, 01010A17
EXISTS, xrefs: 01010B7C, 01010B97
EXPAND, xrefs: 01010BF8
GETITEMCOUNT, xrefs: 01010C1E
SELECT, xrefs: 01010D11

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 648a6c702bdbcd1e35358ba0f45f375625cb00729a33992a0c599a3715323975
Instruction ID: a4b6eeaba1048eab4208853d6a220408ce6146e3a1d493a95de037b3aa2bc5d1
Opcode Fuzzy Hash: 648a6c702bdbcd1e35358ba0f45f375625cb00729a33992a0c599a3715323975
Instruction Fuzzy Hash: 7DE1A0712083018FC714EF29C89096EB7E1BF88314B54899DF8D69B36AD739ED85CB91

Function 0100C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100B6AE,?,?), ref: 0100C9B5
_wcslen.LIBCMT ref: 0100C9F1
_wcslen.LIBCMT ref: 0100CA68
_wcslen.LIBCMT ref: 0100CA9E
_wcslen.LIBCMT ref: 0100CAF9
_wcslen.LIBCMT ref: 0100CB2F
_wcslen.LIBCMT ref: 0100CB7F

Strings

HKU, xrefs: 0100CBF0
HKEY_CURRENT_USER, xrefs: 0100CBBD
HKEY_USERS, xrefs: 0100CBDF
HKEY_CLASSES_ROOT, xrefs: 0100CAF3, 0100CAF8
HKEY_LOCAL_MACHINE, xrefs: 0100CA62, 0100CA67
HKLM, xrefs: 0100CA98, 0100CA9D
HKCC, xrefs: 0100CBAC
HKCU, xrefs: 0100CBCE
HKCR, xrefs: 0100CB29, 0100CB2E
HKEY_CURRENT_CONFIG, xrefs: 0100CB79, 0100CB7E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7b15d1ee54c084c79fb3531bde8d3d505f4f760a2660fec5e9dd5a6c07ee7dfe
Instruction ID: e43897877dfc16ca4b8c5c9a3e76c847ee3cdb41d91c8bef6e10a1223d681639
Opcode Fuzzy Hash: 7b15d1ee54c084c79fb3531bde8d3d505f4f760a2660fec5e9dd5a6c07ee7dfe
Instruction Fuzzy Hash: F67102726005268BFB22DE6CCE409BF33D1AB96654F5407E8FCD2972C6E635DD8493A0

Function 0101833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101835A
_wcslen.LIBCMT ref: 0101836E
_wcslen.LIBCMT ref: 01018391
_wcslen.LIBCMT ref: 010183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01015BF2), ref: 0101844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01018487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01018501
FreeLibrary.KERNEL32(?), ref: 0101850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0101851D
DestroyIcon.USER32(?,?,?,?,?,01015BF2), ref: 0101852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01018549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01018555

Strings

.icl, xrefs: 01018368
.dll, xrefs: 010183AB
.exe, xrefs: 01018388

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 3a365ab5e37cd0d1ef6d6202843ce91b739679a81a54c373aecbcab33ecdd9b9
Instruction ID: ad25b55ce6e03aa69a5243450293f72033d442a4eb3ba5b8db2f6d014d662fed
Opcode Fuzzy Hash: 3a365ab5e37cd0d1ef6d6202843ce91b739679a81a54c373aecbcab33ecdd9b9
Instruction Fuzzy Hash: 9861E2B1540205BBEB24DF64CC81BBE77A8FB08710F10864AF995D60D5DBBCEA90D7A0

Function 00F87778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 00FC528C
", xrefs: 00FC5153
#ce, xrefs: 00F878ED
#notrayicon, xrefs: 00F877E7
Bad directive syntax error, xrefs: 00FC519A
#include, xrefs: 00F87847
#pragma compile, xrefs: 00F877D3
#include-once, xrefs: 00F8782F
#cs, xrefs: 00F87873, 00F878C5
#comments-start, xrefs: 00F8785F, 00F878B1
#comments-end, xrefs: 00F878D9
#requireadmin, xrefs: 00F877FF
', xrefs: 00FC5169
Cannot parse #include, xrefs: 00FC5279
#OnAutoItStartRegister, xrefs: 00F87817

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ab63735dd3727bb6c74d66e8b02a24288baa23f1146ff8c38b2f62fd9eaa2577
Instruction ID: 937ecf3a58849d45b455c8dc637ad060fc7222c8c1e751155b3c457efca056b1
Opcode Fuzzy Hash: ab63735dd3727bb6c74d66e8b02a24288baa23f1146ff8c38b2f62fd9eaa2577
Instruction Fuzzy Hash: DB8129B1A44306BBDB20BF60CD83FEE77A4AF15750F144028F804AA196EB78D945F7A0

Function 00FF3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FF3EF8
_wcslen.LIBCMT ref: 00FF3F03
_wcslen.LIBCMT ref: 00FF3F5A
_wcslen.LIBCMT ref: 00FF3F98
GetDriveTypeW.KERNEL32(?), ref: 00FF3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FF401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FF4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FF4087

Strings

closed, xrefs: 00FF3F08, 00FF3F2D, 00FF3F46, 00FF3F7E, 00FF3F97
close cd wait, xrefs: 00FF4072
open , xrefs: 00FF3FE5
open, xrefs: 00FF3F54, 00FF3F59
set cd door , xrefs: 00FF4028
wait, xrefs: 00FF4044
close, xrefs: 00FF3EFE, 00FF3F18
type cdaudio alias cd wait, xrefs: 00FF4001

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e3d3252dbec0b552c816db7dbc1879e1b5a5f7fa65a8e4b2cf92acbfeef535aa
Instruction ID: 6c3c3c69e89d11d8dbd781a44b8e05f75d96409a1a1c97fdcdf32e1ced8afc17
Opcode Fuzzy Hash: e3d3252dbec0b552c816db7dbc1879e1b5a5f7fa65a8e4b2cf92acbfeef535aa
Instruction Fuzzy Hash: 2571E072A042069FC310EF24C8809BBB7F4EF95768F00492DF695972A1EB35EE45DB91

Function 00FE5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FE5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FE5A40
SetWindowTextW.USER32(?,?), ref: 00FE5A57
GetDlgItem.USER32(?,000003EA), ref: 00FE5A6C
SetWindowTextW.USER32(00000000,?), ref: 00FE5A72
GetDlgItem.USER32(?,000003E9), ref: 00FE5A82
SetWindowTextW.USER32(00000000,?), ref: 00FE5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FE5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FE5AC3
GetWindowRect.USER32(?,?), ref: 00FE5ACC
_wcslen.LIBCMT ref: 00FE5B33
SetWindowTextW.USER32(?,?), ref: 00FE5B6F
GetDesktopWindow.USER32 ref: 00FE5B75
GetWindowRect.USER32(00000000), ref: 00FE5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00FE5BD3
GetClientRect.USER32(?,?), ref: 00FE5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00FE5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FE5C2F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: ac064cd0dbb9736bcfac4e225183deae51af9a034c1e07116a6a00542ec57269
Instruction ID: 35864acb904836a82b2ef6454187239ee7b30a14125f13aa825d3c1c692531e5
Opcode Fuzzy Hash: ac064cd0dbb9736bcfac4e225183deae51af9a034c1e07116a6a00542ec57269
Instruction Fuzzy Hash: 27718031900B45AFDB20DFA9CE85BAEBBF5FF48B18F104918E182A3590D779E900DB50

Function 00FFFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00FFFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00FFFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00FFFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00FFFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00FFFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00FFFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00FFFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00FFFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00FFFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00FFFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00FFFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00FFFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00FFFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00FFFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00FFFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00FFFECC
GetCursorInfo.USER32(?), ref: 00FFFEDC
GetLastError.KERNEL32 ref: 00FFFF1E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9ffe22c31c17f3c7abde822825fa95385136e83dc855e704b6e719c7083bad9b
Instruction ID: 0725e69df3a8dfbbd98082de421aabf30da01b5ed288bf9e0b92d86819cdfb70
Opcode Fuzzy Hash: 9ffe22c31c17f3c7abde822825fa95385136e83dc855e704b6e719c7083bad9b
Instruction Fuzzy Hash: 4D4144B0D443196ADB109FBA8C8586EBFE8FF04764B50452AE11DEB291DB78E901CF91

Function 00FA00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FA00C6

Part of subcall function 00FA00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0105070C,00000FA0,C331647A,?,?,?,?,00FC23B3,000000FF), ref: 00FA011C
Part of subcall function 00FA00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00FC23B3,000000FF), ref: 00FA0127
Part of subcall function 00FA00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00FC23B3,000000FF), ref: 00FA0138
Part of subcall function 00FA00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FA014E
Part of subcall function 00FA00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FA015C
Part of subcall function 00FA00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FA016A
Part of subcall function 00FA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FA0195
Part of subcall function 00FA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FA01A0

___scrt_fastfail.LIBCMT ref: 00FA00E7

Part of subcall function 00FA00A3: __onexit.LIBCMT ref: 00FA00A9

Strings

SleepConditionVariableCS, xrefs: 00FA0154
InitializeConditionVariable, xrefs: 00FA0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FA0122
kernel32.dll, xrefs: 00FA0133
WakeAllConditionVariable, xrefs: 00FA0162

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 16f9b12f83ae28c125845a1305354d0f58bbccaa507183ff7387bea715c7b06f
Instruction ID: 8b605c59af09fa30c1b51d8c52d489d32fea519e07eef3e52641ad9c339b1ac2
Opcode Fuzzy Hash: 16f9b12f83ae28c125845a1305354d0f58bbccaa507183ff7387bea715c7b06f
Instruction Fuzzy Hash: 8521D4B2E857116BF7206B65BD06B6E33A4EB06B61F00012AF881E7248DF6DCC009B90

Function 00FE30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FE318D
_wcslen.LIBCMT ref: 00FE31F8

Strings

INSTANCE, xrefs: 00FE3453
CLASSNN, xrefs: 00FE31F3, 00FE3204
CLASS, xrefs: 00FE3188, 00FE31A5
NAME, xrefs: 00FE3335, 00FE3346
REGEXPCLASS, xrefs: 00FE3255, 00FE3266
TEXT, xrefs: 00FE347C

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 7267521b100ff8eb55ea66955495ae86bd8a41219df339419ed094d4322a866c
Instruction ID: bae3206c6f72a12b4d45c24d940a617d78268aafc01608b9b1af219ad2a8e2a1
Opcode Fuzzy Hash: 7267521b100ff8eb55ea66955495ae86bd8a41219df339419ed094d4322a866c
Instruction Fuzzy Hash: E9E1D532E00656ABCB14DF66C84DBEEFBB4BF44720F548129E456E7240DB34AE45AB90

Function 00FF44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0101CC08), ref: 00FF4527
_wcslen.LIBCMT ref: 00FF453B
_wcslen.LIBCMT ref: 00FF4599
_wcslen.LIBCMT ref: 00FF45F4
_wcslen.LIBCMT ref: 00FF463F
_wcslen.LIBCMT ref: 00FF46A7

Part of subcall function 00F9F9F2: _wcslen.LIBCMT ref: 00F9F9FD

GetDriveTypeW.KERNEL32(?,01046BF0,00000061), ref: 00FF4743

Strings

removable, xrefs: 00FF45EA, 00FF45EF
ramdisk, xrefs: 00FF46F1
cdrom, xrefs: 00FF458F, 00FF4594
fixed, xrefs: 00FF4635, 00FF463A
unknown, xrefs: 00FF4708
network, xrefs: 00FF469D, 00FF46A2
all, xrefs: 00FF4531, 00FF4536

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 43764760e56fdaa035a162387ee6ae59f37e947037a8c2e7c618489adb8b56ec
Instruction ID: c9a008eb12257a48b14e4087b37c2fe8bd0cc3af76e161761defd7748a64b0b2
Opcode Fuzzy Hash: 43764760e56fdaa035a162387ee6ae59f37e947037a8c2e7c618489adb8b56ec
Instruction Fuzzy Hash: 70B10371A083069BC710EF28C890A7BF7E5BF96720F54491DF696C72A1E734E844DB92

Function 01003FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0101CC08), ref: 010040BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 010040CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0101CC08), ref: 010040F2
FreeLibrary.KERNEL32(00000000,?,0101CC08), ref: 0100413E
StringFromGUID2.OLE32(?,?,00000028,?,0101CC08), ref: 010041A8
SysFreeString.OLEAUT32(00000009), ref: 01004262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010042C8
SysFreeString.OLEAUT32(?), ref: 010042F2

Strings

kernel32.dll, xrefs: 010040B6
GetModuleHandleExW, xrefs: 010040C7

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: c27aefad52e15a6c9bbcabe8bb37382c380811ce5d645656c08bc30f74d9b6cd
Instruction ID: 0bcf8e99a4bc962e0579cee8d43ea0f0f10efb92bd7a7efd0c4caf3c9e8e8ce8
Opcode Fuzzy Hash: c27aefad52e15a6c9bbcabe8bb37382c380811ce5d645656c08bc30f74d9b6cd
Instruction Fuzzy Hash: 28125C71A00105EFEB56CF58C884EAEBBB5FF45314F158098EA45EB291CB35ED46CBA0

Function 00F8326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01051990), ref: 00FC2F8D
GetMenuItemCount.USER32(01051990), ref: 00FC303D
GetCursorPos.USER32(?), ref: 00FC3081
SetForegroundWindow.USER32(00000000), ref: 00FC308A
TrackPopupMenuEx.USER32(01051990,00000000,?,00000000,00000000,00000000), ref: 00FC309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FC30A9

Strings

0, xrefs: 00F8327D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: f2fb2e5ee1e72d028608c79fd4cb5e33ea312b3858367d735d5b789cd183cc30
Instruction ID: 943a25547ba62fc1c61c08ddc864dbda1eb58f4628b81cfa7cfe72cde62746c9
Opcode Fuzzy Hash: f2fb2e5ee1e72d028608c79fd4cb5e33ea312b3858367d735d5b789cd183cc30
Instruction Fuzzy Hash: 70714A71A4420ABEFB219F28CD4AFAABF64FF05774F20421AF5146A1E0C7B5AD50E750

Function 01016CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 01016DEB

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01016E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01016E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01016E94
DestroyWindow.USER32(?), ref: 01016EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F80000,00000000), ref: 01016EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01016EFD
GetDesktopWindow.USER32 ref: 01016F16
GetWindowRect.USER32(00000000), ref: 01016F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01016F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01016F4D

Part of subcall function 00F99944: GetWindowLongW.USER32(?,000000EB), ref: 00F99952

Strings

0, xrefs: 01016D98
tooltips_class32, xrefs: 01016E58, 01016EDD

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 30a0d395e0319f9fe27bd3b5a3d78fa293a73bb3334bb83dd84f5ec7667c34da
Instruction ID: 722939773edb8ccaa567eed1a181574feb60cd57bddf681873ccc436f9585a00
Opcode Fuzzy Hash: 30a0d395e0319f9fe27bd3b5a3d78fa293a73bb3334bb83dd84f5ec7667c34da
Instruction Fuzzy Hash: 53714970144244AFEB21DF18CC44BAABBF9EB89304F44095DFAD987265C7BAE905CB11

Function 0101911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

DragQueryPoint.SHELL32(?,?), ref: 01019147

Part of subcall function 01017674: ClientToScreen.USER32(?,?), ref: 0101769A
Part of subcall function 01017674: GetWindowRect.USER32(?,?), ref: 01017710
Part of subcall function 01017674: PtInRect.USER32(?,?,01018B89), ref: 01017720

SendMessageW.USER32(?,000000B0,?,?), ref: 010191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01019225
SendMessageW.USER32(?,000000B0,?,?), ref: 0101923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01019255
SendMessageW.USER32(?,000000B1,?,?), ref: 01019277
DragFinish.SHELL32(?), ref: 0101927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01019371

Strings

@GUI_DRAGID, xrefs: 010192E9
@GUI_DRAGFILE, xrefs: 01019320
@GUI_DROPID, xrefs: 0101929E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: bd73959cb75dd030328060ef5e9f8d3e19c4a7dbdd8f8aabe5bb802e60da2e57
Instruction ID: e59af4bd4132c7d5d8af5a9e8270fd0e583feff455e70ded32efd7df8e2bc6ec
Opcode Fuzzy Hash: bd73959cb75dd030328060ef5e9f8d3e19c4a7dbdd8f8aabe5bb802e60da2e57
Instruction Fuzzy Hash: 0C617871108301AFD711EF64DC85DAFBBE8EF89354F00091EF596931A0DB79AA48CB62

Function 00FFC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FFC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FFC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FFC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FFC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FFC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FFC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FFC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FFC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FFC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FFC5F0
InternetCloseHandle.WININET(00000000), ref: 00FFC5FB

Strings

, xrefs: 00FFC575

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 73c6abaa9eb315ec525972fee1629aa247584188bb9813a00177cd67176c7897
Instruction ID: ca6239591284c9caabaae18305fec8d4b70568309aa8e63617fb93be4030531e
Opcode Fuzzy Hash: 73c6abaa9eb315ec525972fee1629aa247584188bb9813a00177cd67176c7897
Instruction Fuzzy Hash: 8C514FB154021DBFEB218F60CA48ABB7BBCFF04754F084419FA45D6250DB79E944EBA0

Function 0101856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 01018592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185BA
GlobalLock.KERNEL32(00000000), ref: 010185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185D7
GlobalUnlock.KERNEL32(00000000), ref: 010185E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010185F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0101FC38,?), ref: 01018611
GlobalFree.KERNEL32(00000000), ref: 01018621
GetObjectW.GDI32(?,00000018,?), ref: 01018641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01018671
DeleteObject.GDI32(?), ref: 01018699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010186AF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 016c6690ee0f2238c4cf81ae3b455ff9cbe2528ccea7dda8bce4ee0d1ee6ec35
Instruction ID: 57c064418ce08d090b0c69ef5eef8e1e126b45e6b2b403fcf8435c39b4a96016
Opcode Fuzzy Hash: 016c6690ee0f2238c4cf81ae3b455ff9cbe2528ccea7dda8bce4ee0d1ee6ec35
Instruction Fuzzy Hash: 34412975640204AFEB219FA9CD48EAE7BBCFF89711F108459F989E7254D739DA01CB20

Function 00FF14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FF1502
VariantCopy.OLEAUT32(?,?), ref: 00FF150B
VariantClear.OLEAUT32(?), ref: 00FF1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FF15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00FF1657
VariantInit.OLEAUT32(?), ref: 00FF1708
SysFreeString.OLEAUT32(?), ref: 00FF178C
VariantClear.OLEAUT32(?), ref: 00FF17D8
VariantClear.OLEAUT32(?), ref: 00FF17E7
VariantInit.OLEAUT32(00000000), ref: 00FF1823

Strings

Default, xrefs: 00FF16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00FF1625

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: ea771ae86dc5fb51f8050f883046bf9e13c3a64abadb90913a554a3c925518bb
Instruction ID: ebc0f43be4724a99f3f718e28a33032b6078bfb612f458c7dee9567fb6a9a6ab
Opcode Fuzzy Hash: ea771ae86dc5fb51f8050f883046bf9e13c3a64abadb90913a554a3c925518bb
Instruction Fuzzy Hash: 26D11332A04119DBEF14AF65D885B79B7B6BF44700F188056F646AB1A0DB38DC44FBA1

Function 0100B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 0100C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100B6AE,?,?), ref: 0100C9B5
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100C9F1
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA68
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0100B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0100B80A
RegCloseKey.ADVAPI32(?), ref: 0100B87E
RegCloseKey.ADVAPI32(?), ref: 0100B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0100B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0100B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0100B922
FreeLibrary.KERNEL32(00000000), ref: 0100B983
RegCloseKey.ADVAPI32(00000000), ref: 0100B994

Strings

advapi32.dll, xrefs: 0100B8ED
RegDeleteKeyExW, xrefs: 0100B8FE

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 3f25d027855534239bcfde229a6e69c0c0a43739de4a6d6445b7473dba9f8b45
Instruction ID: 5e6bcda75d8053360431c74f5f9ef3b7b8518d4f220410c976356aca4b669961
Opcode Fuzzy Hash: 3f25d027855534239bcfde229a6e69c0c0a43739de4a6d6445b7473dba9f8b45
Instruction Fuzzy Hash: 45C1A334208201AFE715DF18C495F6ABBE1FF85308F18859CF59A8B3A2CB75E945CB91

Function 0100255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010025E8
CreateCompatibleDC.GDI32(?), ref: 010025F4
SelectObject.GDI32(00000000,?), ref: 01002601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0100266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010026D0
SelectObject.GDI32(?,?), ref: 010026D8
DeleteObject.GDI32(?), ref: 010026E1
DeleteDC.GDI32(?), ref: 010026E8
ReleaseDC.USER32(00000000,?), ref: 010026F3

Strings

(, xrefs: 0100268D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 31ad635ad1d1e9f59e8a8093c0be4ecdd23e3d68309ff52584a58e24dfbf51c5
Instruction ID: 534b208e1c9f9e5a062707c254040e2a1cc0273d1528e2cae380288d6d06165b
Opcode Fuzzy Hash: 31ad635ad1d1e9f59e8a8093c0be4ecdd23e3d68309ff52584a58e24dfbf51c5
Instruction Fuzzy Hash: 84611375D00219EFDF15CFA8C988AAEBBF6FF48310F208529E999A7240D735A940CF50

Function 00FBDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FBDAA1

Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD659
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD66B
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD67D
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD68F
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6A1
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6B3
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6C5
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6D7
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6E9
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD6FB
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD70D
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD71F
Part of subcall function 00FBD63C: _free.LIBCMT ref: 00FBD731

_free.LIBCMT ref: 00FBDA96

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FBDAB8
_free.LIBCMT ref: 00FBDACD
_free.LIBCMT ref: 00FBDAD8
_free.LIBCMT ref: 00FBDAFA
_free.LIBCMT ref: 00FBDB0D
_free.LIBCMT ref: 00FBDB1B
_free.LIBCMT ref: 00FBDB26
_free.LIBCMT ref: 00FBDB5E
_free.LIBCMT ref: 00FBDB65
_free.LIBCMT ref: 00FBDB82
_free.LIBCMT ref: 00FBDB9A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1297d1112d4b4bb5836021c2328089dae520ee7c8e0324a76f17d72751eb40cc
Instruction ID: 5a3f97e31a81f9ea66c2bc5cfe721aca30f0235d7a6bffb968deaf7d5c95de9c
Opcode Fuzzy Hash: 1297d1112d4b4bb5836021c2328089dae520ee7c8e0324a76f17d72751eb40cc
Instruction Fuzzy Hash: F4316F31A04304AFEB65AA3ADC45BD6B7E9FF40320F158819E449D7592EF39AC40BF21

Function 00FE365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FE369C
_wcslen.LIBCMT ref: 00FE36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FE3797
GetClassNameW.USER32(?,?,00000400), ref: 00FE380C
GetDlgCtrlID.USER32(?), ref: 00FE385D
GetWindowRect.USER32(?,?), ref: 00FE3882
GetParent.USER32(?), ref: 00FE38A0
ScreenToClient.USER32(00000000), ref: 00FE38A7
GetClassNameW.USER32(?,?,00000100), ref: 00FE3921
GetWindowTextW.USER32(?,?,00000400), ref: 00FE395D

Strings

%s%u, xrefs: 00FE3734

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2982ec903e39a6e753d2b65f2092f800e8f7fd5334364d62762dcc96e6d299e8
Instruction ID: 97094c9ab3d8d7b7321479c6849247791c4068b40d01c8d12c7f0eedb6c910cd
Opcode Fuzzy Hash: 2982ec903e39a6e753d2b65f2092f800e8f7fd5334364d62762dcc96e6d299e8
Instruction Fuzzy Hash: 1191D271604346AFD718DE26C88DFAAF7A9FF44320F008629F999C3181DB34EA45DB91

Function 00FE4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00FE4994
GetWindowTextW.USER32(?,?,00000400), ref: 00FE49DA
_wcslen.LIBCMT ref: 00FE49EB
CharUpperBuffW.USER32(?,00000000), ref: 00FE49F7
_wcsstr.LIBVCRUNTIME ref: 00FE4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00FE4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00FE4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00FE4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00FE4B20
GetWindowRect.USER32(?,?), ref: 00FE4B8B

Strings

ThumbnailClass, xrefs: 00FE4A6F, 00FE4AF1

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b37cb459c5ec8dee574d1765a811644cb89b92ff186ed6fc5f9ff94cd1a85d2a
Instruction ID: 68f4c761b71173645fcc49f25cc96de06f10480305e37a1facebf5510c995bf9
Opcode Fuzzy Hash: b37cb459c5ec8dee574d1765a811644cb89b92ff186ed6fc5f9ff94cd1a85d2a
Instruction Fuzzy Hash: AE91EC714082459FDB04CE16C984FAA77E9FF88724F04846DFD859A086DB38FD45EBA1

Function 01018D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 01018D5A
GetFocus.USER32 ref: 01018D6A
GetDlgCtrlID.USER32(00000000), ref: 01018D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01018E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 01018ECF
GetMenuItemCount.USER32(?), ref: 01018EEC
GetMenuItemID.USER32(?,00000000), ref: 01018EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 01018F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 01018F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01018FA1

Strings

0, xrefs: 01018E9F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: f215e4a450b7c30946d309788969405bf26c3fe10508d4751360dac210fd79c5
Instruction ID: eec4625bdf0a99d70010ac4fc8e0c234df99564ff438546562f3eb0f98c0a144
Opcode Fuzzy Hash: f215e4a450b7c30946d309788969405bf26c3fe10508d4751360dac210fd79c5
Instruction Fuzzy Hash: FC81C171508301AFEB61DF18C884AAB7BE9FB88354F04495EFAC5D7285D779DA00CB61

Function 00FEBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(01051990,000000FF,00000000,00000030), ref: 00FEBFAC
SetMenuItemInfoW.USER32(01051990,00000004,00000000,00000030), ref: 00FEBFE1
Sleep.KERNEL32(000001F4), ref: 00FEBFF3
GetMenuItemCount.USER32(?), ref: 00FEC039
GetMenuItemID.USER32(?,00000000), ref: 00FEC056
GetMenuItemID.USER32(?,-00000001), ref: 00FEC082
GetMenuItemID.USER32(?,?), ref: 00FEC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FEC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FEC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FEC145

Strings

0, xrefs: 00FEBF3D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: b2703f650811c33510ae505925d882b3bfdf6259c3d9a0ab91212118a585d4d5
Instruction ID: b90a92a59696128f36356690ec8980f8525c3de9c0cc718080de8de0eae6355f
Opcode Fuzzy Hash: b2703f650811c33510ae505925d882b3bfdf6259c3d9a0ab91212118a585d4d5
Instruction Fuzzy Hash: C5619171900386AFEF21CFA5D988AEE7BB8EB05354F044055F951E3291C739AD46EBA0

Function 00FEDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FEDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FEDC46
_wcslen.LIBCMT ref: 00FEDC50
_wcsstr.LIBVCRUNTIME ref: 00FEDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FEDCBC

Strings

04090000, xrefs: 00FEDCF2
\VarFileInfo\Translation, xrefs: 00FEDCB4
%u.%u.%u.%u, xrefs: 00FEDD9A
StringFileInfo\, xrefs: 00FEDC8F
DefaultLangCodepage, xrefs: 00FEDD1F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 0b5b354e5789050ed1ecf141f08db38b73319ff0fc7aacab743b231840be2b26
Instruction ID: 26c24f4e62db9293568412de249ec1f456425b7ddcb2aa8e878c5e2dcaefca4f
Opcode Fuzzy Hash: 0b5b354e5789050ed1ecf141f08db38b73319ff0fc7aacab743b231840be2b26
Instruction Fuzzy Hash: 184116B2A402057BEB20A6759C47EBF77ACEF46760F10006DF900EA142EB79D901B7A5

Function 0100CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0100CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0100CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0100CD48

Part of subcall function 0100CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0100CCAA
Part of subcall function 0100CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0100CCBD
Part of subcall function 0100CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0100CCCF
Part of subcall function 0100CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0100CD05
Part of subcall function 0100CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0100CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0100CCF3

Strings

advapi32.dll, xrefs: 0100CCB8
RegDeleteKeyExW, xrefs: 0100CCC9

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 7a1055b64763436db63a49cd2455c82cf49b8aa016cf0d4df6ed92eb3981f654
Instruction ID: 00f9ab9cc6f9c617c7bee006524a2e6f34d84b8f41fefa5c1db95b33752fef33
Opcode Fuzzy Hash: 7a1055b64763436db63a49cd2455c82cf49b8aa016cf0d4df6ed92eb3981f654
Instruction Fuzzy Hash: 2731807194112DBBF7329A55DD88EFFBFBCEF06640F0002A9F981E2144D7389A459BA0

Function 00FF3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FF3D40
_wcslen.LIBCMT ref: 00FF3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FF3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FF3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00FF3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FF3E55
CloseHandle.KERNEL32(00000000), ref: 00FF3E60
CloseHandle.KERNEL32(00000000), ref: 00FF3E6B

Strings

\, xrefs: 00FF3D77
\??\%s, xrefs: 00FF3D5B
:, xrefs: 00FF3D82

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 44b88753779ab36275034e3f213b7f6082abc475fe6314010cd9a6442c3781a5
Instruction ID: ce2797fcad75f4079a9e860833faa0e590f22c4fb7ca02785e3d631adefc20d8
Opcode Fuzzy Hash: 44b88753779ab36275034e3f213b7f6082abc475fe6314010cd9a6442c3781a5
Instruction Fuzzy Hash: 5A318EB2940219ABDB209FA0DC49FEF37BDEF89750F1040A5F649D6064EB78D7449B24

Function 00FEE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FEE6B4

Part of subcall function 00F9E551: timeGetTime.WINMM(?,?,00FEE6D4), ref: 00F9E555

Sleep.KERNEL32(0000000A), ref: 00FEE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00FEE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FEE727
SetActiveWindow.USER32 ref: 00FEE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FEE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FEE773
Sleep.KERNEL32(000000FA), ref: 00FEE77E
IsWindow.USER32 ref: 00FEE78A
EndDialog.USER32(00000000), ref: 00FEE79B

Strings

BUTTON, xrefs: 00FEE719

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 33b1333de6fcec80d3b78bb0d5bc21748c20ddc0ce9eff84c89ccf27513a7225
Instruction ID: 7bc88e7bdf2888a61490d20988f343d54dbdbeabfa4e74e87ee3bdf2b420afce
Opcode Fuzzy Hash: 33b1333de6fcec80d3b78bb0d5bc21748c20ddc0ce9eff84c89ccf27513a7225
Instruction Fuzzy Hash: 46218470240385EFFB205F21FD89B263B69FB59758B104824F49582149DB7FEC50EB25

Function 00FEE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FEEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FEEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FEEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FEEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FEEAA7

Strings

play PlayMe wait, xrefs: 00FEEA91
open , xrefs: 00FEEA0C
alias PlayMe, xrefs: 00FEEA36
status PlayMe mode, xrefs: 00FEEA58
play PlayMe, xrefs: 00FEEAA2
close PlayMe, xrefs: 00FEEA6E, 00FEEA9B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 3f04bea1852c15db4c47a827d5ba551838683681a444a09892728f2bd842f7ab
Instruction ID: 340291955ae192cfc23d0b412fa13cface0d3b690d6ec6f48f5c62be894bf05f
Opcode Fuzzy Hash: 3f04bea1852c15db4c47a827d5ba551838683681a444a09892728f2bd842f7ab
Instruction Fuzzy Hash: CE11A775A502697AD720B7A3DC8ADFF7A7CEBD2F10F00043DB441A6090EEA51D05D6B0

Function 00FE9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FEA012
SetKeyboardState.USER32(?), ref: 00FEA07D
GetAsyncKeyState.USER32(000000A0), ref: 00FEA09D
GetKeyState.USER32(000000A0), ref: 00FEA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00FEA0E3
GetKeyState.USER32(000000A1), ref: 00FEA0F4
GetAsyncKeyState.USER32(00000011), ref: 00FEA120
GetKeyState.USER32(00000011), ref: 00FEA12E
GetAsyncKeyState.USER32(00000012), ref: 00FEA157
GetKeyState.USER32(00000012), ref: 00FEA165
GetAsyncKeyState.USER32(0000005B), ref: 00FEA18E
GetKeyState.USER32(0000005B), ref: 00FEA19C

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8672cd3eec6b8aa859226370583150fceba1b011518391335962b7c45c255656
Instruction ID: 36cbc4671d61f4559de55488fbd1d5e15e505d05a2ca7bc639a4c86cb909534f
Opcode Fuzzy Hash: 8672cd3eec6b8aa859226370583150fceba1b011518391335962b7c45c255656
Instruction Fuzzy Hash: 6251D930D087C829FB35DB6288117EABFB59F12390F08859DD5C2571C2DA98BA4CDB63

Function 00FE5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FE5CE2
GetWindowRect.USER32(00000000,?), ref: 00FE5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00FE5D59
GetDlgItem.USER32(?,00000002), ref: 00FE5D69
GetWindowRect.USER32(00000000,?), ref: 00FE5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00FE5DCF
GetDlgItem.USER32(?,000003E9), ref: 00FE5DDD
GetWindowRect.USER32(00000000,?), ref: 00FE5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00FE5E31
GetDlgItem.USER32(?,000003EA), ref: 00FE5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FE5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00FE5E67

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f2b082725c6be037e8c63ec92ac1a5ae863434b29e0ddb8d1803df2e76091aeb
Instruction ID: c31e61be770c60f43b9f12d5b8fe8819034be492649f9333af9fe44b1b839697
Opcode Fuzzy Hash: f2b082725c6be037e8c63ec92ac1a5ae863434b29e0ddb8d1803df2e76091aeb
Instruction Fuzzy Hash: EB511C71A40605AFDB18CF69CE89AAEBBB5BB48714F108129F515E7294D774EE00CB50

Function 00F98BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F98BE8,?,00000000,?,?,?,?,00F98BBA,00000000,?), ref: 00F98FC5

DestroyWindow.USER32(?), ref: 00F98C81
KillTimer.USER32(00000000,?,?,?,?,00F98BBA,00000000,?), ref: 00F98D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00FD6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F98BBA,00000000,?), ref: 00FD69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F98BBA,00000000,?), ref: 00FD69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F98BBA,00000000), ref: 00FD69D4
DeleteObject.GDI32(00000000), ref: 00FD69E6

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d02ee3fa33a1e8e1434488aaadd6b5643a2293c94d82eb2294677ea3c2b0db7b
Instruction ID: c421aa5a6112c97a3bdbaa3bee8f303789e7da38bdca74d19c952bd741251f65
Opcode Fuzzy Hash: d02ee3fa33a1e8e1434488aaadd6b5643a2293c94d82eb2294677ea3c2b0db7b
Instruction Fuzzy Hash: AD619F31901701DFEF359F14DA48B2677F2FB42362F144519E08297654CB7AAD82EB90

Function 00F99838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F99944: GetWindowLongW.USER32(?,000000EB), ref: 00F99952

GetSysColor.USER32(0000000F), ref: 00F99862

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b1d88beb78022269413847eb3d50e0052b653f87392ea03f8ed346a1a6792458
Instruction ID: b13b5e520f09c609750dd96ae8a63bc9c8460d539a89295cfa91d49152e8a81c
Opcode Fuzzy Hash: b1d88beb78022269413847eb3d50e0052b653f87392ea03f8ed346a1a6792458
Instruction Fuzzy Hash: 1D419231548640AFEF305F3C9884BB93765AB06330F59461DF9A28B2D5D77ADC81EB11

Function 00FE96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00FCF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00FE9717
LoadStringW.USER32(00000000,?,00FCF7F8,00000001), ref: 00FE9720

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00FCF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00FE9742
LoadStringW.USER32(00000000,?,00FCF7F8,00000001), ref: 00FE9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00FE9866

Strings

^ ERROR, xrefs: 00FE97FB
Line %d:, xrefs: 00FE97A0
%s (%d) : ==> %s: %s %s, xrefs: 00FE984A
Error: , xrefs: 00FE981D
Line %d (File "%s"):, xrefs: 00FE978F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 197f320be951fbcd5bf398260c78db53b5b30f8e5d47dda2a00363e285a25449
Instruction ID: fab9620e6b8cf0b169a74b83fc2d73cde0e7a68fc9651bbb942e2ae8f3779417
Opcode Fuzzy Hash: 197f320be951fbcd5bf398260c78db53b5b30f8e5d47dda2a00363e285a25449
Instruction Fuzzy Hash: F0415D72904219AADF04FBE1CE86EEE7378AF55740F540025F601B2092EB796F49EB61

Function 00FE06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FE07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FE07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FE07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FE0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00FE082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FE0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FE083C

Strings

\IPC$, xrefs: 00FE0784
\CLSID, xrefs: 00FE0724
SOFTWARE\Classes\, xrefs: 00FE070E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 863e8aeb0ba8d30abb35a5ece114de9cae4d552ebc65a20db187aa0aa34b6286
Instruction ID: 62fd45525956376235bd1da76421ffda8b236dceda0dee24efe537fbc60779dd
Opcode Fuzzy Hash: 863e8aeb0ba8d30abb35a5ece114de9cae4d552ebc65a20db187aa0aa34b6286
Instruction Fuzzy Hash: 90410472C10229ABDF25EFA4DC85CEDB778FF04750B04412AF901A7161EB78AE44DBA0

Function 01013F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0101403B
CreateCompatibleDC.GDI32(00000000), ref: 01014042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01014055
SelectObject.GDI32(00000000,00000000), ref: 0101405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 01014068
DeleteDC.GDI32(00000000), ref: 01014072
GetWindowLongW.USER32(?,000000EC), ref: 0101407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 01014092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0101409E

Strings

static, xrefs: 01013FD3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 29625a43c22a863f069351cb585fcfea56c85ea2c083ac6cf199f096193c1d76
Instruction ID: bbf480aac464b6c5e9bcea68ea9780ac10da725d9a2dfc0902edf46d2b638587
Opcode Fuzzy Hash: 29625a43c22a863f069351cb585fcfea56c85ea2c083ac6cf199f096193c1d76
Instruction Fuzzy Hash: 20316C32141215ABEF229FA8DD08FDA3BA9FF0D324F110215FA98E6194C77ED860DB54

Function 01003C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01003C5C
CoInitialize.OLE32(00000000), ref: 01003C8A
CoUninitialize.OLE32 ref: 01003C94
_wcslen.LIBCMT ref: 01003D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 01003DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 01003ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01003F0E
CoGetObject.OLE32(?,00000000,0101FB98,?), ref: 01003F2D
SetErrorMode.KERNEL32(00000000), ref: 01003F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01003FC4
VariantClear.OLEAUT32(?), ref: 01003FD8

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 6103fab19a4d917cdc787a8a94f9b62cabfff884b86e276dcc0ebe2936f4004f
Instruction ID: 311d9f1fa4ab3ffda7fb34f9c26d8d0a247434f49a7e6312cab2e0c1c86cceaf
Opcode Fuzzy Hash: 6103fab19a4d917cdc787a8a94f9b62cabfff884b86e276dcc0ebe2936f4004f
Instruction Fuzzy Hash: D7C165716083059FE702EF28C88492BBBE9FF89744F04495DF98A9B291DB35ED05CB52

Function 00FF7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FF7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FF7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00FF7BA3
CoCreateInstance.OLE32(0101FD08,00000000,00000001,01046E6C,?), ref: 00FF7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FF7C74
CoTaskMemFree.OLE32(?,?), ref: 00FF7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00FF7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FF7D7A
CoTaskMemFree.OLE32(00000000), ref: 00FF7D81
CoTaskMemFree.OLE32(00000000), ref: 00FF7DD6
CoUninitialize.OLE32 ref: 00FF7DDC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a40f9c7a74ad1206b9ee67d6551bb102ee937cf8c8931c12f68af763715da88e
Instruction ID: 95f885880a6f131192f1fc82e1892f867f89e0e8056827f3d57d5446e3a04237
Opcode Fuzzy Hash: a40f9c7a74ad1206b9ee67d6551bb102ee937cf8c8931c12f68af763715da88e
Instruction Fuzzy Hash: 11C14B75A04209AFDB14EFA4C884DAEBBF9FF48314B148098E915DB361DB35ED41DB90

Function 0101541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01015504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01015515
CharNextW.USER32(00000158), ref: 01015544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01015585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0101559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010155AC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 093ccbb90df7b2f850c3838a433ad061aa6757603ab905113f252f65be6af5f2
Instruction ID: d1aa2155b2a9d82948006722d8bf031874007ffe285fb4999b675994545976f3
Opcode Fuzzy Hash: 093ccbb90df7b2f850c3838a433ad061aa6757603ab905113f252f65be6af5f2
Instruction Fuzzy Hash: 0C618230A40209AFEF208F54CD849FE7BB9EB4B728F004545F6A5AF294D77D9641CB61

Function 00FDFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FDFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00FDFB08
VariantInit.OLEAUT32(?), ref: 00FDFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FDFB3A
VariantCopy.OLEAUT32(?,?), ref: 00FDFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FDFBA1
VariantClear.OLEAUT32(?), ref: 00FDFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00FDFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FDFBCC
VariantClear.OLEAUT32(?), ref: 00FDFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FDFBE9

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: fd5dc1e5a74c158370a51067c5d3ba68c0a1d1c1fa15b2d0c464681a7cbfa1b5
Instruction ID: f56f7d14e6b3a26255a74d8df753c097c68825d360ba5e1b9f2846be34a7ff31
Opcode Fuzzy Hash: fd5dc1e5a74c158370a51067c5d3ba68c0a1d1c1fa15b2d0c464681a7cbfa1b5
Instruction Fuzzy Hash: 5C41A135A402199FDB10DFA4D844DADBBB9FF48354F04802AE946A7351CB39E945DBA0

Function 00FE9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FE9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00FE9D22
GetKeyState.USER32(000000A0), ref: 00FE9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00FE9D57
GetKeyState.USER32(000000A1), ref: 00FE9D6C
GetAsyncKeyState.USER32(00000011), ref: 00FE9D84
GetKeyState.USER32(00000011), ref: 00FE9D96
GetAsyncKeyState.USER32(00000012), ref: 00FE9DAE
GetKeyState.USER32(00000012), ref: 00FE9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00FE9DD8
GetKeyState.USER32(0000005B), ref: 00FE9DEA

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2b9e723b3ab826a4643d59b6f7236ccc366402f07d4aeac7939ba2ca92566509
Instruction ID: ff67f0f55c96325f2bed8dcb454a7a3a74e04652ce28c252292723076dd291f8
Opcode Fuzzy Hash: 2b9e723b3ab826a4643d59b6f7236ccc366402f07d4aeac7939ba2ca92566509
Instruction Fuzzy Hash: 20411830D0C7CA6DFF30966688043B5BEE16F11324F08805EDAC6562C2DBE999C8D7B2

Function 0100055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010005BC
inet_addr.WSOCK32(?), ref: 0100061C
gethostbyname.WSOCK32(?), ref: 01000628
IcmpCreateFile.IPHLPAPI ref: 01000636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 010007B9
WSACleanup.WSOCK32 ref: 010007BF

Strings

Ping, xrefs: 01000676

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6ef04543262a0e47de3982b9f6908046188f36b21ce141a8a11cd23312c56966
Instruction ID: 8737fbe000a1cff9dfa2db22e3d668d8cc6dd4f2c58682b5cd4be79c4089a30f
Opcode Fuzzy Hash: 6ef04543262a0e47de3982b9f6908046188f36b21ce141a8a11cd23312c56966
Instruction Fuzzy Hash: B391D4346042019FE321DF18C888F1ABBE0BF49358F148599F5A98B7A6C739ED45CF91

Function 01008CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 01008CF3

Part of subcall function 00FE8E54: _wcslen.LIBCMT ref: 00FE8E77

_wcslen.LIBCMT ref: 01008D4E
_wcslen.LIBCMT ref: 01008D9C
_wcslen.LIBCMT ref: 01008DDC
_wcslen.LIBCMT ref: 01008E6E

Strings

winapi, xrefs: 01008D96, 01008D9B
stdcall, xrefs: 01008DD6, 01008DDB
none, xrefs: 01008E65, 01008E6A
cdecl, xrefs: 01008D48, 01008D4D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 851c1fbe7c9db79903a4bf1295b389c451db1f9984528de2127c70f4b447013f
Instruction ID: 0706e21af84fb241d8f492bb7e576f86886c95f56094e03f5cfb201c5dd5acfb
Opcode Fuzzy Hash: 851c1fbe7c9db79903a4bf1295b389c451db1f9984528de2127c70f4b447013f
Instruction Fuzzy Hash: BD51B071E001169BEB16EF6CC9408BEB7E5BF65320F20826AE5A6E72C5DB35DD40C790

Function 0100372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 01003774
CoUninitialize.OLE32 ref: 0100377F
CoCreateInstance.OLE32(?,00000000,00000017,0101FB78,?), ref: 010037D9
IIDFromString.OLE32(?,?), ref: 0100384C
VariantInit.OLEAUT32(?), ref: 010038E4
VariantClear.OLEAUT32(?), ref: 01003936

Strings

Invalid parameter, xrefs: 01003865
Failed to create object, xrefs: 010037E4, 0100389A
NULL Pointer assignment, xrefs: 0100381E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 524acd89240de54ba8efdde747c769ec84ca7fef3edf3aaf5463e8402ec8eec1
Instruction ID: 6e86f2485afeb94400de06415d71a7530654892f85cf35aaf5d23fee83389a6c
Opcode Fuzzy Hash: 524acd89240de54ba8efdde747c769ec84ca7fef3edf3aaf5463e8402ec8eec1
Instruction Fuzzy Hash: D5619F70608301AFE322DF54C889B6ABBE4FF49714F04089DF9C59B291D774EA48CB92

Function 00FF3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FF33CF

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FF33F0

Strings

^ ERROR , xrefs: 00FF349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00FF3504
"%s" (%d) : ==> %s:, xrefs: 00FF3522
Error: , xrefs: 00FF34D1
Incorrect parameters to object property !, xrefs: 00FF34AB
Line %d (File "%s"):, xrefs: 00FF3443, 00FF345C

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 19c0de8c5d8a634f041702574de0883400b02a3995a31f6632f7083d94eb7b14
Instruction ID: 55e688fc15b736617a227843bbe651d9d4734a0f55bfeb37aaccccf79695936f
Opcode Fuzzy Hash: 19c0de8c5d8a634f041702574de0883400b02a3995a31f6632f7083d94eb7b14
Instruction Fuzzy Hash: 09518C7290420AAADF14FBA0CD46EFEB379AF05740F144065F50572062EB7A6F58EB60

Function 00FEB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FEB5FC
_wcslen.LIBCMT ref: 00FEB608
_wcslen.LIBCMT ref: 00FEB64D
_wcslen.LIBCMT ref: 00FEB68C
_wcslen.LIBCMT ref: 00FEB6C7

Strings

KEYS, xrefs: 00FEB647, 00FEB64C
REMOVE, xrefs: 00FEB602, 00FEB607
EXISTS, xrefs: 00FEB686, 00FEB68B
APPEND, xrefs: 00FEB6C1, 00FEB6C6

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: beb1e5a22710fba0227b721ba0acac3606a945b90aaf528cc4e99d877cd405a1
Instruction ID: 9fef4ce31d31c3d55f0ff9afa9adc9e35e5a4a8307c866e5b66ea327804e1811
Opcode Fuzzy Hash: beb1e5a22710fba0227b721ba0acac3606a945b90aaf528cc4e99d877cd405a1
Instruction Fuzzy Hash: E541D372E000669BCB20AF7ECC905BFB7A5BBA1764B244169E461DB284F735CD81E790

Function 00FF5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FF53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FF5416
GetLastError.KERNEL32 ref: 00FF5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00FF54A7

Strings

READY, xrefs: 00FF5460, 00FF5468
NOTREADY, xrefs: 00FF544B
INVALID, xrefs: 00FF5459
UNKNOWN, xrefs: 00FF5444
READONLY, xrefs: 00FF5452

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4acfac28f76718976e02937bd41681fa7654c176f3b1af622c1823b41cb950f9
Instruction ID: 7393efbb1e7517737d0279cd90fe7057bc996b4e88f27434c20e2b3234e40b9c
Opcode Fuzzy Hash: 4acfac28f76718976e02937bd41681fa7654c176f3b1af622c1823b41cb950f9
Instruction Fuzzy Hash: A831F375E002099FD710DF68C494BB9BBB4FF05715F148059E601CB262D776DD82DBA0

Function 01013C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01013C79
SetMenu.USER32(?,00000000), ref: 01013C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01013D10
IsMenu.USER32(?), ref: 01013D24
CreatePopupMenu.USER32 ref: 01013D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01013D5B
DrawMenuBar.USER32 ref: 01013D63

Strings

F, xrefs: 01013D4E
0, xrefs: 01013C54

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 2ad7545dc8848fb5cf3d6f725653c12bf3c0074849e6353201a6e3ba21bba712
Instruction ID: a219b7c6fc178c1029e47526fa865b2e55e5490bc116fc6371457917f95e0b90
Opcode Fuzzy Hash: 2ad7545dc8848fb5cf3d6f725653c12bf3c0074849e6353201a6e3ba21bba712
Instruction Fuzzy Hash: E2418C78A01209AFEB24DF64E844B9A7BF5FF49314F040068EA869B354D739E910CB50

Function 00FE1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00FE1F64
GetDlgCtrlID.USER32 ref: 00FE1F6F
GetParent.USER32 ref: 00FE1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE1F8E
GetDlgCtrlID.USER32(?), ref: 00FE1F97
GetParent.USER32(?), ref: 00FE1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE1FAE

Strings

ListBox, xrefs: 00FE1F21
ComboBox, xrefs: 00FE1EEC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 21d0d7b5d1deb50c62a65f0ee7ab09c0a876fe9658f781358175a3ee027cf68d
Instruction ID: eb7992d4d688960500a66a5c75f6ebe2010dbee60fe680a97418cb37e0dd464b
Opcode Fuzzy Hash: 21d0d7b5d1deb50c62a65f0ee7ab09c0a876fe9658f781358175a3ee027cf68d
Instruction Fuzzy Hash: 5521D370900214BFDF10AFA1CC84DFEBBB4AF09310B100515B99167291DB7D9904EBA0

Function 00FE1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00FE2043
GetDlgCtrlID.USER32 ref: 00FE204E
GetParent.USER32 ref: 00FE206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE206D
GetDlgCtrlID.USER32(?), ref: 00FE2076
GetParent.USER32(?), ref: 00FE208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE208D

Strings

ListBox, xrefs: 00FE2002
ComboBox, xrefs: 00FE1FCD

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a6380624cbe6674e4ec7d2bae1bbb0117d2878dc39d9b559b0179c49a5a8f238
Instruction ID: a058cf244e5033e408011e4adeef022aa52246af98c6d14b6356e0f28c2c0f86
Opcode Fuzzy Hash: a6380624cbe6674e4ec7d2bae1bbb0117d2878dc39d9b559b0179c49a5a8f238
Instruction Fuzzy Hash: BC21CFB1E40214BFDF11AFA1CC89EFEBBB8AF09300F100415B991A7195DA7E9914EB60

Function 01013A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01013A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01013AA0
GetWindowLongW.USER32(?,000000F0), ref: 01013AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01013AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01013B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01013BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01013BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01013BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01013BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01013C13

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5768ee14e6017f81fbc666ba851e825a4c419c90be0bc7dcaa585833887be2a7
Instruction ID: f428a67a2796901af71dbf4c97eb73577a1f4a90e4ee5fc8b8a0443c8f81aba3
Opcode Fuzzy Hash: 5768ee14e6017f81fbc666ba851e825a4c419c90be0bc7dcaa585833887be2a7
Instruction Fuzzy Hash: 82617975A00248AFEB20DFA8CC81EEE77F8FB09714F100199FA55AB291D778AD41DB50

Function 00FEB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FEB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB165
GetWindowThreadProcessId.USER32(00000000), ref: 00FEB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FEB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FEA1E1,?,00000001), ref: 00FEB21D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 60718285dd89462f508aed84ab3f3bf79d1c88a5f9a9939ad580cc6371fb616c
Instruction ID: 8d9614efa8a2b3866af3360a8b328a870e5ad17bdd0fcc0279ff11f13a98a938
Opcode Fuzzy Hash: 60718285dd89462f508aed84ab3f3bf79d1c88a5f9a9939ad580cc6371fb616c
Instruction Fuzzy Hash: E731EC75940304BFEB269F25D958B6F7BA9BF543A1F10440AFA80CA184D7BEE8009F64

Function 00FB2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB2C94

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FB2CA0
_free.LIBCMT ref: 00FB2CAB
_free.LIBCMT ref: 00FB2CB6
_free.LIBCMT ref: 00FB2CC1
_free.LIBCMT ref: 00FB2CCC
_free.LIBCMT ref: 00FB2CD7
_free.LIBCMT ref: 00FB2CE2
_free.LIBCMT ref: 00FB2CED
_free.LIBCMT ref: 00FB2CFB

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9eddbdd3f383a0b69ff7702ba66dce75b4b0f6e8dec44f5e35cf8cd3d6034244
Instruction ID: 7a8fad9da8aa41ae03b9bb1bb3a9fd26d51390f30233351358c8970358e3fafd
Opcode Fuzzy Hash: 9eddbdd3f383a0b69ff7702ba66dce75b4b0f6e8dec44f5e35cf8cd3d6034244
Instruction Fuzzy Hash: 89119476500108BFCB42EF5ADC42CDD3BB5BF05350F4148A5F9485B622DA35EA50AF90

Function 00FF7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FF7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF7FC1
GetFileAttributesW.KERNEL32(?), ref: 00FF7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FF8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00FF8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FF80B0

Strings

*.*, xrefs: 00FF8066

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 789361ab6c3692e2a9ec3abdf51a2d4e55dbf57d696f2ac8e83da9023c2116e2
Instruction ID: fe04a308d052a5c2abb6278d21c5f79a656ca28c8a013b228fb50493a167b642
Opcode Fuzzy Hash: 789361ab6c3692e2a9ec3abdf51a2d4e55dbf57d696f2ac8e83da9023c2116e2
Instruction Fuzzy Hash: BA81D2729083499BCB20EF14C844ABEF3D8BF84320F54485EF685C7260EB79DD45AB92

Function 00F85BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F85C7A

Part of subcall function 00F85D0A: GetClientRect.USER32(?,?), ref: 00F85D30
Part of subcall function 00F85D0A: GetWindowRect.USER32(?,?), ref: 00F85D71
Part of subcall function 00F85D0A: ScreenToClient.USER32(?,?), ref: 00F85D99

GetDC.USER32 ref: 00FC46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FC4708
SelectObject.GDI32(00000000,00000000), ref: 00FC4716
SelectObject.GDI32(00000000,00000000), ref: 00FC472B
ReleaseDC.USER32(?,00000000), ref: 00FC4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FC47C4

Strings

U, xrefs: 00FC4693

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7816ed9635aa0efcb23feaf4db16405a84b18bc64e8418e7219d6a8aab6da515
Instruction ID: e7631172e589179ca93cf7783f97771c3b3fd6b06e097b858cdb32ef8980def2
Opcode Fuzzy Hash: 7816ed9635aa0efcb23feaf4db16405a84b18bc64e8418e7219d6a8aab6da515
Instruction Fuzzy Hash: AB71DF31800206DFCF219F64CA96FEA7BB1FF4A324F144269ED955A299C335A841FF50

Function 00FF359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00FF35E4

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

LoadStringW.USER32(01052390,?,00000FFF,?), ref: 00FF360A

Strings

^ ERROR, xrefs: 00FF36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00FF3724
"%s" (%d) : ==> %s:, xrefs: 00FF3742
Error: , xrefs: 00FF36EF
Line %d (File "%s"):, xrefs: 00FF366B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: fd6d7c801248502b4d695caf18e166f01d91da94b94950f69c53178132d23a4a
Instruction ID: f76ece2e5bc963907b4d8f268d850e84df022e645c2d5eea645aa32c455a45d1
Opcode Fuzzy Hash: fd6d7c801248502b4d695caf18e166f01d91da94b94950f69c53178132d23a4a
Instruction Fuzzy Hash: 9A514C7290421ABADF14FBA0CC42EFEBB79AF05700F144125F20572162EB795B99EB60

Function 01018B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

Part of subcall function 00F9912D: GetCursorPos.USER32(?), ref: 00F99141
Part of subcall function 00F9912D: ScreenToClient.USER32(00000000,?), ref: 00F9915E
Part of subcall function 00F9912D: GetAsyncKeyState.USER32(00000001), ref: 00F99183
Part of subcall function 00F9912D: GetAsyncKeyState.USER32(00000002), ref: 00F9919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01018B6B
ImageList_EndDrag.COMCTL32 ref: 01018B71
ReleaseCapture.USER32 ref: 01018B77
SetWindowTextW.USER32(?,00000000), ref: 01018C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01018C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01018CFF

Strings

@GUI_DRAGFILE, xrefs: 01018C9A
@GUI_DROPID, xrefs: 01018C51

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 3feba73d71f0c683180faa95818fb1c5d2918f0a279f0e60785ee4da1927414c
Instruction ID: 8ddadef9e7c1e13089eb2954d1718d9a8af0abe268a7e6cfb2f425a92b8a4318
Opcode Fuzzy Hash: 3feba73d71f0c683180faa95818fb1c5d2918f0a279f0e60785ee4da1927414c
Instruction Fuzzy Hash: 18518C70104304AFE714EF24DC96FAB7BE4FB88714F40062DF99697295CB799A44CB62

Function 00FFC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FFC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FFC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FFC2CA
GetLastError.KERNEL32 ref: 00FFC322
SetEvent.KERNEL32(?), ref: 00FFC336
InternetCloseHandle.WININET(00000000), ref: 00FFC341

Strings

, xrefs: 00FFC2BB

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9b31709cc5014fb42a19a52056d01f4a6b880669656ba69ecb14d53f5dfdf1f1
Instruction ID: aa3f842dfb61bbe64ee8d327f2793f87cf8675ec633c4b2c8e9c742fefd933a6
Opcode Fuzzy Hash: 9b31709cc5014fb42a19a52056d01f4a6b880669656ba69ecb14d53f5dfdf1f1
Instruction Fuzzy Hash: 413193B190021CAFD7219F648A84ABB7BFCEF45794B14451DF586D2210DB39DD04ABA1

Function 00FE989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FC3AAF,?,?,Bad directive syntax error,0101CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FE98BC
LoadStringW.USER32(00000000,?,00FC3AAF,?), ref: 00FE98C3

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FE9987

Strings

., xrefs: 00FE996D
Line %d:, xrefs: 00FE9912
Error: , xrefs: 00FE9955
%s (%d) : ==> %s.: %s %s, xrefs: 00FE98F1
Line %d (File "%s"):, xrefs: 00FE992D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 606a77162018af50c5e167413fff93ebe0fa88da1694bc16130464a761eb20be
Instruction ID: fabd153227fb355569d0fbd7c5790896765ed6f3bdc3666259fa285631734463
Opcode Fuzzy Hash: 606a77162018af50c5e167413fff93ebe0fa88da1694bc16130464a761eb20be
Instruction Fuzzy Hash: 6A219F32D4421ABBDF15AF90CC46EFE7735FF19700F044429F51566062EBBA9A28EB20

Function 00FE209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FE20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00FE20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FE214D

Strings

SHELLDLL_DefView, xrefs: 00FE20CC
largeicons, xrefs: 00FE20E1
list, xrefs: 00FE212F
details, xrefs: 00FE20FB
smallicons, xrefs: 00FE2115

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 5c264e9b2e74c99b130c46e398e78ee2f175a64c3aaac23188eec686938d8006
Instruction ID: a27339506a58de74f9271932ffbf2c586267b8ba1ef34c1049f26f2a575fc761
Opcode Fuzzy Hash: 5c264e9b2e74c99b130c46e398e78ee2f175a64c3aaac23188eec686938d8006
Instruction Fuzzy Hash: 18112CB76C8306BBF6112622DC07DA6379CCB05734B20002AFB44A90A1FEBDB9017A54

Function 00FB8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e596205f5be8777205fe0569edbbd180514a447bc16eddbcbe6d055f23175a53
Instruction ID: 9a968a54893b19f5e51b71d4f2dc3687bf7b534f3c1738d58a63b15ce7e16cdf
Opcode Fuzzy Hash: e596205f5be8777205fe0569edbbd180514a447bc16eddbcbe6d055f23175a53
Instruction Fuzzy Hash: B5C11575D08249AFDB11EFEAD840BEDBBB4AF49360F144059F554AB382C7798942EF20

Function 00FBCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FBCEB7
_free.LIBCMT ref: 00FBCF22
_free.LIBCMT ref: 00FBCF48
_free.LIBCMT ref: 00FBCF71
_free.LIBCMT ref: 00FBCFA9
_free.LIBCMT ref: 00FBCFDA
_free.LIBCMT ref: 00FBD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00FBD09C
_free.LIBCMT ref: 00FBD0B5

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b991b0c28e10c3374310613209a3df7a3d50133022f63fa425492f36029d0a59
Instruction ID: 69e3681aa3da32466b000123c6907e1faed79ef3fcb34eac5efd2670824c3fc2
Opcode Fuzzy Hash: b991b0c28e10c3374310613209a3df7a3d50133022f63fa425492f36029d0a59
Instruction Fuzzy Hash: DB612671D04301ABDB21BF769881AFF7BA5AF05760F0441ADF9449B245E73A9900BFB1

Function 00F98B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00FD6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00FD68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FD68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00FD68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FD68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F98874,00000000,00000000,00000000,000000FF,00000000), ref: 00FD6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FD691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F98874,00000000,00000000,00000000,000000FF,00000000), ref: 00FD692D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 08d25eb4d0c98196bf262d1c6e786edde4c5f2fe6bf61b86765ce64d4c87722d
Instruction ID: 00e78c198f4069eea803932d362044cb7147fb759eb3db34e7acbd321126fb43
Opcode Fuzzy Hash: 08d25eb4d0c98196bf262d1c6e786edde4c5f2fe6bf61b86765ce64d4c87722d
Instruction Fuzzy Hash: 0C517A70A40205AFEF20CF24CC55BAA7BB6EF88760F144519F942D7290DB79E991EB50

Function 00FFC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FFC182
GetLastError.KERNEL32 ref: 00FFC195
SetEvent.KERNEL32(?), ref: 00FFC1A9

Part of subcall function 00FFC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FFC272
Part of subcall function 00FFC253: GetLastError.KERNEL32 ref: 00FFC322
Part of subcall function 00FFC253: SetEvent.KERNEL32(?), ref: 00FFC336
Part of subcall function 00FFC253: InternetCloseHandle.WININET(00000000), ref: 00FFC341

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 849bf0e71813504ec0012e1ac87c769b0acdbe37dc787c0c8bf2b77a8a423ffd
Instruction ID: b6ed5a954f2a727e0179793b2040224db47815b9dcda91562baba5c7ef6ce5ce
Opcode Fuzzy Hash: 849bf0e71813504ec0012e1ac87c769b0acdbe37dc787c0c8bf2b77a8a423ffd
Instruction Fuzzy Hash: 8031B27154061DAFEB219FE5DE44AB6BBF8FF18310B00441DFA9683624C739E914EBA0

Function 00FE25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE3A57
Part of subcall function 00FE3A3D: GetCurrentThreadId.KERNEL32 ref: 00FE3A5E
Part of subcall function 00FE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FE25B3), ref: 00FE3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FE25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00FE25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FE2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00FE2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FE2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00FE2627

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a207ce51d61051a27ece31067a6656663f4e148eefd25c64b3c497ea6a423993
Instruction ID: 6fd251cd73213edd5ae5469f29c04e3dc7d6c98a67bbcd7c61af7b3da8ab6386
Opcode Fuzzy Hash: a207ce51d61051a27ece31067a6656663f4e148eefd25c64b3c497ea6a423993
Instruction Fuzzy Hash: B501D4313D0354BBFB2067699C8EF593F99DB4EB12F100011F358AF0C4C9FA64449A69

Function 00FE1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00FE1449,?,?,00000000), ref: 00FE180C
HeapAlloc.KERNEL32(00000000,?,00FE1449,?,?,00000000), ref: 00FE1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FE1449,?,?,00000000), ref: 00FE1828
GetCurrentProcess.KERNEL32(?,00000000,?,00FE1449,?,?,00000000), ref: 00FE1830
DuplicateHandle.KERNEL32(00000000,?,00FE1449,?,?,00000000), ref: 00FE1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FE1449,?,?,00000000), ref: 00FE1843
GetCurrentProcess.KERNEL32(00FE1449,00000000,?,00FE1449,?,?,00000000), ref: 00FE184B
DuplicateHandle.KERNEL32(00000000,?,00FE1449,?,?,00000000), ref: 00FE184E
CreateThread.KERNEL32(00000000,00000000,00FE1874,00000000,00000000,00000000), ref: 00FE1868

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c05d5bb1b9d2aacfd95520cf5897f8b7684078d6a3ba4aa090c248bf0ce40a85
Instruction ID: 565c5dbb2ebe48893c24f9b29ae41f40fbeeed81e31f10005910dd226eaa9fad
Opcode Fuzzy Hash: c05d5bb1b9d2aacfd95520cf5897f8b7684078d6a3ba4aa090c248bf0ce40a85
Instruction Fuzzy Hash: 3C01ACB52C0344BFF720AB65DD49F577B6CEB89B11F004411FA45DB195C679D8008B20

Function 0100A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00FED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00FED501
Part of subcall function 00FED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00FED50F
Part of subcall function 00FED4DC: CloseHandle.KERNELBASE(00000000), ref: 00FED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100A16D
GetLastError.KERNEL32 ref: 0100A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0100A268
GetLastError.KERNEL32(00000000), ref: 0100A273
CloseHandle.KERNEL32(00000000), ref: 0100A2C4

Strings

SeDebugPrivilege, xrefs: 0100A18F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 28f3639ac4d97d37957dd4a2c7e7bc2407b25ec19c9b5d4fb7c59b32dff106ce
Instruction ID: 42cf444844555166a58d89d79c2ea18712b98d4aecf0387d5ee15e99a41dc7e8
Opcode Fuzzy Hash: 28f3639ac4d97d37957dd4a2c7e7bc2407b25ec19c9b5d4fb7c59b32dff106ce
Instruction Fuzzy Hash: 8F618C70204342EFE721DF19C894F5ABBE1AF44318F18849CE5A68B793C77AE945CB91

Function 01013886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01013925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0101393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01013954
_wcslen.LIBCMT ref: 01013999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010139F4

Strings

SysListView32, xrefs: 010138F7

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 1cf3cb26b27098f5fdd11624c87b9854ac4874141dc5e1c0b97d8f33b4d1f599
Instruction ID: d9a1ce5c8efc34ce56b8bb5f5a4337697bddfb44266b58ac638a4920d0a9f4de
Opcode Fuzzy Hash: 1cf3cb26b27098f5fdd11624c87b9854ac4874141dc5e1c0b97d8f33b4d1f599
Instruction Fuzzy Hash: 3C41C771A00319ABEF219F64CC45FEA7BA9FF08364F100566F984EB285D379D940CB90

Function 00FEBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FEBCFD
IsMenu.USER32(00000000), ref: 00FEBD1D
CreatePopupMenu.USER32 ref: 00FEBD53
GetMenuItemCount.USER32(01225CF0), ref: 00FEBDA4
InsertMenuItemW.USER32(01225CF0,?,00000001,00000030), ref: 00FEBDCC

Strings

0, xrefs: 00FEBCA8
2, xrefs: 00FEBD37

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 024c0a7cd08c09a49365a10a8483920fd53983283c2c665cc02001415dd9e0f5
Instruction ID: 26fcb839b3e9dbee4bf8073a12411fdd70e01c5945c50f3f50a72846fe071307
Opcode Fuzzy Hash: 024c0a7cd08c09a49365a10a8483920fd53983283c2c665cc02001415dd9e0f5
Instruction Fuzzy Hash: DA51AD70A002899BDF30CFAADD88BAFBBF8BF45324F244229E451D7290D7749941DB61

Function 00FEC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FEC913

Strings

info, xrefs: 00FEC8B4
stop, xrefs: 00FEC8E4
blank, xrefs: 00FEC895
warning, xrefs: 00FEC8FC
question, xrefs: 00FEC8CC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7f442f3dabe765981581c465b429abf3507384ab47e528f5235cb7d255288abd
Instruction ID: 9fe6ea47583b57d69de57bf17f320e9f7413761f58c572bbbd8c68d324a91875
Opcode Fuzzy Hash: 7f442f3dabe765981581c465b429abf3507384ab47e528f5235cb7d255288abd
Instruction Fuzzy Hash: D311EE72A89346BBE7019B569C82D9E7B9CDF16764B10003FF500A6183F7BD6E0172A4

Function 00FEDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FEDE42
gethostname.WSOCK32(?,00000100), ref: 00FEDE5C
gethostbyname.WSOCK32(?), ref: 00FEDE69
inet_ntoa.WSOCK32(?), ref: 00FEDEAB
_strcat.LIBCMT ref: 00FEDEB9
WSACleanup.WSOCK32 ref: 00FEDEDE

Strings

0.0.0.0, xrefs: 00FEDE87

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 68e25ff0ba962173786dac5c64c10134e33942f4a9294b2c5fb6f16a99bf963b
Instruction ID: 4776b13fe322083509622bceff7254673d0a46400acfd5c1e20367745f382aa8
Opcode Fuzzy Hash: 68e25ff0ba962173786dac5c64c10134e33942f4a9294b2c5fb6f16a99bf963b
Instruction Fuzzy Hash: B7110671904114AFDB30AB61DC4AEEF77ACDF55720F040169F4459A081EFBADA81A760

Function 01019F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

GetSystemMetrics.USER32(0000000F), ref: 01019FC7
GetSystemMetrics.USER32(0000000F), ref: 01019FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0101A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0101A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0101A263
ShowWindow.USER32(00000003,00000000), ref: 0101A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0101A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0101A2CA

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 12716390b3feb6475240faeee130c8755362b621caa1d169ab499973c0b14028
Instruction ID: d9a79675359e80c41ab3cf3150799b0d4bd5216931cf8cff8824997d8107df1c
Opcode Fuzzy Hash: 12716390b3feb6475240faeee130c8755362b621caa1d169ab499973c0b14028
Instruction Fuzzy Hash: 1BB18A31601265DBEF25CF6CC9857EE7BF2BF44741F0880A9ED859B289D739A940CB50

Function 00FEED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FEED2A
_wcslen.LIBCMT ref: 00FEED3B
_wcslen.LIBCMT ref: 00FEED79
_wcslen.LIBCMT ref: 00FEEDAF
_wcslen.LIBCMT ref: 00FEEDDF
_wcslen.LIBCMT ref: 00FEEDEF
_wcslen.LIBCMT ref: 00FEEE2B
_wcslen.LIBCMT ref: 00FEEE5A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 9e02b26a5838a8818930edea1380b08b8a896cee5096c63d0dacd5e9903cfe4a
Instruction ID: a1bbd64f84fe2b789ec86837c129ebd1d96920799d73431bb054b296e6fd7d41
Opcode Fuzzy Hash: 9e02b26a5838a8818930edea1380b08b8a896cee5096c63d0dacd5e9903cfe4a
Instruction Fuzzy Hash: 5341A3A5C10258B6CB11EBF5CC8AACFB7ACAF46710F508466E518E3121FB38E255D3A5

Function 00F9F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00FD682C,00000004,00000000,00000000), ref: 00F9F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00FD682C,00000004,00000000,00000000), ref: 00FDF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00FD682C,00000004,00000000,00000000), ref: 00FDF454

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c74c6aa048a78961ac50c6bc127af76e06a779b4a51bf888e889e482f0aee2ee
Instruction ID: ad71384b907a7bc7bfae206b56dba8be23a30417b78295feab57f7e20c2411b6
Opcode Fuzzy Hash: c74c6aa048a78961ac50c6bc127af76e06a779b4a51bf888e889e482f0aee2ee
Instruction Fuzzy Hash: C9411D31E14640BAFF399B29CD88B2A7B926B57334F18443DE087D6654C67A9488F711

Function 01012D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01012D1B
GetDC.USER32(00000000), ref: 01012D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01012D2E
ReleaseDC.USER32(00000000,00000000), ref: 01012D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01012D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01012D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01015A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01012DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01012DE1

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b8e2c63d83de78219bc9941336956f90b8d91460f665a3577b8f0b0aab17e437
Instruction ID: e4f7b604c49162e2424b3b58bac832198b6a868ea2a162272eaf5dc73623e3de
Opcode Fuzzy Hash: b8e2c63d83de78219bc9941336956f90b8d91460f665a3577b8f0b0aab17e437
Instruction Fuzzy Hash: 2A317C72241214BFFB258F54CD89FEB3FA9FF0A715F044055FE889A285C67A9850C7A4

Function 00FE5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FE5637
_memcmp.LIBVCRUNTIME ref: 00FE5659
_memcmp.LIBVCRUNTIME ref: 00FE5671
_memcmp.LIBVCRUNTIME ref: 00FE5684
_memcmp.LIBVCRUNTIME ref: 00FE569E
_memcmp.LIBVCRUNTIME ref: 00FE56B1
_memcmp.LIBVCRUNTIME ref: 00FE56C9
_memcmp.LIBVCRUNTIME ref: 00FE56E4

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1f64853269f0ae099cfdbc61e99e666ae83bb841606628cca23975550748f894
Instruction ID: 8ba7a1f9ea72b31ea2fd0ce07198df4915a0e62885414090738ebf84c5a79d80
Opcode Fuzzy Hash: 1f64853269f0ae099cfdbc61e99e666ae83bb841606628cca23975550748f894
Instruction Fuzzy Hash: 2C21D7A6A40A4A7BD6149A234E92FFB335CBF21B9CF440024FD049E541F768ED14B5E5

Function 01004FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 01005007
NULL Pointer assignment, xrefs: 0100502E, 01005383

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e84a0f0e197744158bb943cb58d07ad50179867f5b7eefb67c54f0ed5436c223
Instruction ID: f8e91fa5edc81f2c337474db4607ceafe9fefe0074bb614021c6503c6e185c60
Opcode Fuzzy Hash: e84a0f0e197744158bb943cb58d07ad50179867f5b7eefb67c54f0ed5436c223
Instruction Fuzzy Hash: 5DD19275A0020AAFEF11CF98CC81AAEBBF5BF48314F148469E955AB281E771D945CF50

Function 00FC1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00FC17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00FC15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00FC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FC1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00FC17FB,?,00FC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FC16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00FC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FC16FB

Part of subcall function 00FB3820: RtlAllocateHeap.NTDLL(00000000,?,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6,?,00F81129), ref: 00FB3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00FC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FC1777
__freea.LIBCMT ref: 00FC17A2
__freea.LIBCMT ref: 00FC17AE

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 531d746aa7e13cf67d362bf2f3eff9e10bfc86b9793e4c65a48dac9178e3717c
Instruction ID: 1a6699fa52b5fb9419becbb8929b5e4ed8463b02dd2ded73593ad7db3ba0d0d6
Opcode Fuzzy Hash: 531d746aa7e13cf67d362bf2f3eff9e10bfc86b9793e4c65a48dac9178e3717c
Instruction Fuzzy Hash: 85919372E102179ADF208E64CE52FEE7BB5BF4A320F18465DE801E7142D739DD54AB60

Function 01004523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01004648
VariantInit.OLEAUT32(?), ref: 01004749
VariantClear.OLEAUT32(?), ref: 01004753
VariantClear.OLEAUT32(?), ref: 010047B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0100472C
Null Object assignment in FOR..IN loop, xrefs: 010045D8, 01004706, 010047BE

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5380772ec302e875ffd85dd3320d36ffb9ec7176c7062b40461fd4883ad3b9ab
Instruction ID: c9be816d3b583064979350dafccdd8a9b34297f5552af7dce0ae967e09556081
Opcode Fuzzy Hash: 5380772ec302e875ffd85dd3320d36ffb9ec7176c7062b40461fd4883ad3b9ab
Instruction Fuzzy Hash: 37917D71A00219ABEF21CFA5CC84FAEBBB8FF45710F008559E645EB281D7749945CBA4

Function 00FF1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00FF125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FF1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00FF12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FF12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FF135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FF13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FF1430

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 46efa6d7b26b9bce49827b7a868ef5ffbc561d843a782aae3f849759e4f887ed
Instruction ID: c8a62c15935256793120ef1e47cf8d7ab3ba6eac8bbb98efcaba36b77b76ccf1
Opcode Fuzzy Hash: 46efa6d7b26b9bce49827b7a868ef5ffbc561d843a782aae3f849759e4f887ed
Instruction Fuzzy Hash: 9C91C172A0020DDFEB10DF94C884BBEB7B5FF45325F104029EA50EB2A1D779A945EB90

Function 00F9948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 246edf115eb30d9c03844d7debe2e4058bc935acf818b655739dd4e2ca677e16
Instruction ID: 06958a7c2879619e99ef68bc3876f340c29fc9d51776822677b7ec810e64f24e
Opcode Fuzzy Hash: 246edf115eb30d9c03844d7debe2e4058bc935acf818b655739dd4e2ca677e16
Instruction Fuzzy Hash: B1917771D04209AFDF11CFA9CC84AEEBBB9FF49320F19804AE501B7251D378AA41DB60

Function 01003947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0100396B
CharUpperBuffW.USER32(?,?), ref: 01003A7A
_wcslen.LIBCMT ref: 01003A8A
VariantClear.OLEAUT32(?), ref: 01003C1F

Part of subcall function 00FF0CDF: VariantInit.OLEAUT32(00000000), ref: 00FF0D1F
Part of subcall function 00FF0CDF: VariantCopy.OLEAUT32(?,?), ref: 00FF0D28
Part of subcall function 00FF0CDF: VariantClear.OLEAUT32(?), ref: 00FF0D34

Strings

AUTOIT.ERROR, xrefs: 01003A80, 01003A85
Incorrect Parameter format, xrefs: 010039A6, 01003BA1

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a0da2750921b0796ee4232276cb55eb0eefcec235526ba6c0f32f212a2402655
Instruction ID: 917e066a5ec5f6c7e956fb2573714cd39cafba11a4fad2d8b5472b34f8b67435
Opcode Fuzzy Hash: a0da2750921b0796ee4232276cb55eb0eefcec235526ba6c0f32f212a2402655
Instruction Fuzzy Hash: E9917C74A083059FD705EF28C48096AB7E4FF89314F14886DF9899B391DB35ED45CB92

Function 01004BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00FE000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?,?,00FE035E), ref: 00FE002B
Part of subcall function 00FE000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?), ref: 00FE0046
Part of subcall function 00FE000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?), ref: 00FE0054
Part of subcall function 00FE000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?), ref: 00FE0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01004C51
_wcslen.LIBCMT ref: 01004D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01004DCF
CoTaskMemFree.OLE32(?), ref: 01004DDA

Strings

NULL Pointer assignment, xrefs: 01004E23, 01004E52

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 41c8f9727cd8be3c4ab94fb613b0757813a01ee7e53da5417418c66201ffe3ad
Instruction ID: 7bbfeb5fc9e094865e3bafa25d6a0224db43de1fbb8ca0b08e7281191845a8b7
Opcode Fuzzy Hash: 41c8f9727cd8be3c4ab94fb613b0757813a01ee7e53da5417418c66201ffe3ad
Instruction Fuzzy Hash: 06911971D0021D9FEF15EFA4CC91AEDB7B8BF08314F10416AEA55A7291DB749A44CF60

Function 010120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01012183
GetMenuItemCount.USER32(00000000), ref: 010121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010121DD
_wcslen.LIBCMT ref: 01012213
GetMenuItemID.USER32(?,?), ref: 0101224D
GetSubMenu.USER32(?,?), ref: 0101225B

Part of subcall function 00FE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE3A57
Part of subcall function 00FE3A3D: GetCurrentThreadId.KERNEL32 ref: 00FE3A5E
Part of subcall function 00FE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FE25B3), ref: 00FE3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010122E3

Part of subcall function 00FEE97B: Sleep.KERNEL32 ref: 00FEE9F3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c1fcea85f4e3966591779fec63b2960ed427c08f7ae48d61d7a50d5f539ba5f1
Instruction ID: 36917dbabe965ca467eeb1ba4e8f4b1f5d2239203083f93179a267a09d92c292
Opcode Fuzzy Hash: c1fcea85f4e3966591779fec63b2960ed427c08f7ae48d61d7a50d5f539ba5f1
Instruction Fuzzy Hash: F6718375E00205AFDB10EF68C845AEEBBF5FF48310F248499E956EB345D739E9418BA0

Function 01017E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01225A98), ref: 01017F37
IsWindowEnabled.USER32(01225A98), ref: 01017F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0101801E
SendMessageW.USER32(01225A98,000000B0,?,?), ref: 01018051
IsDlgButtonChecked.USER32(?,?), ref: 01018089
GetWindowLongW.USER32(01225A98,000000EC), ref: 010180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 010180C3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9c87a21bf3240f0fe38734ba19fa195ccd4492cfe4f1f1b67bab61cf34caf9e8
Instruction ID: 463f9efd8552ee08a5a193f0d2458b6c9f4f62bf8a59c6c7ca09ba7486d63fc2
Opcode Fuzzy Hash: 9c87a21bf3240f0fe38734ba19fa195ccd4492cfe4f1f1b67bab61cf34caf9e8
Instruction Fuzzy Hash: 18715D75604204AFEB629F68C884FEB7BF5EF09300F14449EFAD597259C73AA941CB10

Function 00FEAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FEAEF9
GetKeyboardState.USER32(?), ref: 00FEAF0E
SetKeyboardState.USER32(?), ref: 00FEAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FEAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FEAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FEAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FEB020

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9cf7ba169698d06abec59131084719d4946ead4362080e8dd378dafba982f6a1
Instruction ID: 1508e10c9f5b9036a4bece24708347f2daec20db5af2ea545401aa26077cf5f2
Opcode Fuzzy Hash: 9cf7ba169698d06abec59131084719d4946ead4362080e8dd378dafba982f6a1
Instruction Fuzzy Hash: C751C1A0A047D53DFB3683368C45BBBBEA95B46324F088489E2D9458C2C3D9FCC8E751

Function 00FEACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FEAD19
GetKeyboardState.USER32(?), ref: 00FEAD2E
SetKeyboardState.USER32(?), ref: 00FEAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FEADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FEADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FEAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FEAE38

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 87b474a414c6d282828d543d4adab52bcdddd95da7ccdd3bb758e8e18d110b4e
Instruction ID: 2125f6e7098eef973fb35ac7f391386a3de9e915c01ec067fcf5b20bdf583920
Opcode Fuzzy Hash: 87b474a414c6d282828d543d4adab52bcdddd95da7ccdd3bb758e8e18d110b4e
Instruction Fuzzy Hash: 8551F5A1D047D53DFB3382368C95B7ABEA95F46310F088489E1D5468C2D298FC98F762

Function 00FB542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00FC3CD6,?,?,?,?,?,?,?,?,00FB5BA3,?,?,00FC3CD6,?,?), ref: 00FB5470
__fassign.LIBCMT ref: 00FB54EB
__fassign.LIBCMT ref: 00FB5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00FC3CD6,00000005,00000000,00000000), ref: 00FB552C
WriteFile.KERNEL32(?,00FC3CD6,00000000,00FB5BA3,00000000,?,?,?,?,?,?,?,?,?,00FB5BA3,?), ref: 00FB554B
WriteFile.KERNEL32(?,?,00000001,00FB5BA3,00000000,?,?,?,?,?,?,?,?,?,00FB5BA3,?), ref: 00FB5584

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f3a7f163ea15efa2c1470a97019f9643a57aac2bb7908a7d8de4bf833966034f
Instruction ID: eee7a7886fef9b5151cbdb07dcfef5f0b237449b2c500dc3440ad01a1a79549a
Opcode Fuzzy Hash: f3a7f163ea15efa2c1470a97019f9643a57aac2bb7908a7d8de4bf833966034f
Instruction Fuzzy Hash: 4D51C1B1A006489FDB20CFA9D841BEEBBF9EF09711F18411AF955E7281D638DA41CF60

Function 00FA2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00FA2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00FA2D53
_ValidateLocalCookies.LIBCMT ref: 00FA2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00FA2E0C
_ValidateLocalCookies.LIBCMT ref: 00FA2E61

Strings

csm, xrefs: 00FA2DF6

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 402a8aa71455eabd0ae6881687f51e26263bbbcb9a26083b7f2c51649ebbfe73
Instruction ID: e4a3325720eb95e5ebe87c16e318a6aaee5a066f095e57d7ae67352d6d147f90
Opcode Fuzzy Hash: 402a8aa71455eabd0ae6881687f51e26263bbbcb9a26083b7f2c51649ebbfe73
Instruction Fuzzy Hash: DF41A0B5F01209ABCF10DF6CC885A9EBBA5BF46328F148155F8146B352D739DA05EB90

Function 010010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0100304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0100307A
Part of subcall function 0100304E: _wcslen.LIBCMT ref: 0100309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01001112
WSAGetLastError.WSOCK32 ref: 01001121
WSAGetLastError.WSOCK32 ref: 010011C9
closesocket.WSOCK32(00000000), ref: 010011F9

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: acdbdd77310da935f1ef43344b1b36237c69449312f4c539226da86e47af880f
Instruction ID: 0136ac451f93870f0ae42a1dce22efcc8810a200fc41838dae6ec877627cbba1
Opcode Fuzzy Hash: acdbdd77310da935f1ef43344b1b36237c69449312f4c539226da86e47af880f
Instruction Fuzzy Hash: C541A131600204AFEB169F18C884BEABBE9FF45324F148059FD959B2C5C779E941CBE1

Function 00FECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FECF22,?), ref: 00FEDDFD

Part of subcall function 00FEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FECF22,?), ref: 00FEDE16

lstrcmpiW.KERNEL32(?,?), ref: 00FECF45
MoveFileW.KERNEL32(?,?), ref: 00FECF7F
_wcslen.LIBCMT ref: 00FED005
_wcslen.LIBCMT ref: 00FED01B
SHFileOperationW.SHELL32(?), ref: 00FED061

Strings

\*.*, xrefs: 00FECFF3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ecde7517bbbb282e2dfb524d6d4fa998c6e685800604fa596b78654389151479
Instruction ID: c05139a95a44893d9bbaaaadd2852ff02f215504ffbd8711817fc07dfe8fef6c
Opcode Fuzzy Hash: ecde7517bbbb282e2dfb524d6d4fa998c6e685800604fa596b78654389151479
Instruction Fuzzy Hash: 664186B1D452585FDF22EFA5DD81ADEB7B8AF08380F0000E6E505EB141EB39A785DB50

Function 01012DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 01012E1C
GetWindowLongW.USER32(?,000000F0), ref: 01012E4F
GetWindowLongW.USER32(?,000000F0), ref: 01012E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 01012EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 01012EE0
GetWindowLongW.USER32(?,000000F0), ref: 01012EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01012F0B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: c16f0ff0ace7b6b2e862702bc595ce05c7c0fffa8e9e8d53df566d96f7f58389
Instruction ID: 7bcc004ace9be85f5446f378e781e08f685e2aa28d6cbc0a301345d1aba91275
Opcode Fuzzy Hash: c16f0ff0ace7b6b2e862702bc595ce05c7c0fffa8e9e8d53df566d96f7f58389
Instruction Fuzzy Hash: 0A310634644250AFEB21CF5CDD84FA537E5FB5A714F2501A4F9908F2AACB7AE840DB41

Function 00FE7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FE7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FE778F
SysAllocString.OLEAUT32(00000000), ref: 00FE7792
SysAllocString.OLEAUT32(?), ref: 00FE77B0
SysFreeString.OLEAUT32(?), ref: 00FE77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00FE77DE
SysAllocString.OLEAUT32(?), ref: 00FE77EC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 75f7072fd59febdeb740a855e9218222b79a74a81cb7d4fbc51ce61ce060c9b1
Instruction ID: 603ed87e4a53c016cef1c263ffa5ca6fc6ff585543b2e22967283ddda06db7dd
Opcode Fuzzy Hash: 75f7072fd59febdeb740a855e9218222b79a74a81cb7d4fbc51ce61ce060c9b1
Instruction Fuzzy Hash: A421D676A08359AFEF20EEA9CC88DBB73ACEB093647048025F904DB150D678DC419760

Function 00FE77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FE7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FE7868
SysAllocString.OLEAUT32(00000000), ref: 00FE786B
SysAllocString.OLEAUT32 ref: 00FE788C
SysFreeString.OLEAUT32 ref: 00FE7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00FE78AF
SysAllocString.OLEAUT32(?), ref: 00FE78BD

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5c1dcdf96183ec72b869f248cf592d5f6a2eb8a0caaef54f4cb1cbc767042cf1
Instruction ID: 6f88b147884d142e5fca065b7176264d6e1acac20ca4612afaa64b793793212b
Opcode Fuzzy Hash: 5c1dcdf96183ec72b869f248cf592d5f6a2eb8a0caaef54f4cb1cbc767042cf1
Instruction Fuzzy Hash: D121D831A48214AFEF10AFB9CC8CDAA77ECEB193607208025F914CB194DA78DD41DB64

Function 00FF04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FF04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF052E

Strings

nul, xrefs: 00FF0567

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4f6115f9113b3ae1b2d108bf01ad85c67c2b71d273c1dff59eb9d0ad39a6ed3b
Instruction ID: 3088e4e3e2a1e3ac2760c5a6c8752ee4c0b1394130f7dbe7fdb82dbc5da82bce
Opcode Fuzzy Hash: 4f6115f9113b3ae1b2d108bf01ad85c67c2b71d273c1dff59eb9d0ad39a6ed3b
Instruction Fuzzy Hash: AF219475900309AFDF208F69D844AAA77B4AF45734F284A19F9A1D72E1DBB1D940DF20

Function 00FF05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FF05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF0601

Strings

nul, xrefs: 00FF0639

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9e21be3d9fc94044a00fefc4dfce43f1210ff62d4b33a622bf7c2eccd996f761
Instruction ID: d242ce47dd7a02b6258d4bfc3eade6bf8899692d3df635ed12e5e83473b0dbb0
Opcode Fuzzy Hash: 9e21be3d9fc94044a00fefc4dfce43f1210ff62d4b33a622bf7c2eccd996f761
Instruction Fuzzy Hash: E821A3759003199BDB208F698804AAA77E4AF85730F200A19FAA1D72E1DFB19960DB10

Function 010140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F8604C
Part of subcall function 00F8600E: GetStockObject.GDI32(00000011), ref: 00F86060
Part of subcall function 00F8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01014112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0101411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0101412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01014139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01014145

Strings

Msctls_Progress32, xrefs: 010140E3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 91372ffbd3ac3334f0febc5c0e32a715e49f2bc657471bc14c7b816088c52109
Instruction ID: 39d1b633360194aaf3fda6466a87fbe580a4ab6a07729a7aae5523d5197f6ca2
Opcode Fuzzy Hash: 91372ffbd3ac3334f0febc5c0e32a715e49f2bc657471bc14c7b816088c52109
Instruction Fuzzy Hash: 7011B2B2140219BEEF219E65CC85EE77F9DEF09798F004111BA58E6054C776DC21DBA4

Function 00FBD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FBD7A3: _free.LIBCMT ref: 00FBD7CC

_free.LIBCMT ref: 00FBD82D

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FBD838
_free.LIBCMT ref: 00FBD843
_free.LIBCMT ref: 00FBD897
_free.LIBCMT ref: 00FBD8A2
_free.LIBCMT ref: 00FBD8AD
_free.LIBCMT ref: 00FBD8B8

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c32d5dcd4e2e16652645884f863a805b4f9ccf1782375f0a57dc59218e4dca28
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: DF115171540B04BBD521BFB2CC47FCB7BEC6F00700F400C25B29DA6492EA69B5057E51

Function 00FEDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FEDA74
LoadStringW.USER32(00000000), ref: 00FEDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FEDA91
LoadStringW.USER32(00000000), ref: 00FEDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FEDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FEDAB9

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a9d1d02e8ba50b0e3247db8edebf678664d8373f22e28de6000eb2d7ab37d247
Instruction ID: 2b627961194615aca2dfa58ab4e170faaa9556d3de7e4cbf50dc8562e9f110fd
Opcode Fuzzy Hash: a9d1d02e8ba50b0e3247db8edebf678664d8373f22e28de6000eb2d7ab37d247
Instruction Fuzzy Hash: D90162F69402087FF710ABA09E89EE7336CE708701F4008A5B786E6045EA7DDE844B74

Function 00FF096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0121EEF0,0121EEF0), ref: 00FF097B
EnterCriticalSection.KERNEL32(0121EED0,00000000), ref: 00FF098D
TerminateThread.KERNEL32(?,000001F6), ref: 00FF099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00FF09A9
CloseHandle.KERNEL32(?), ref: 00FF09B8
InterlockedExchange.KERNEL32(0121EEF0,000001F6), ref: 00FF09C8
LeaveCriticalSection.KERNEL32(0121EED0), ref: 00FF09CF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4d90e3ed7ad9e3c93dca51ee98be57e6b5441e6a5a97b257e8058c7abd1da392
Instruction ID: 1bfc1e0d2848a1a9d86f0d614f260419cf20d37437a70714f32bf5b4fcee58a0
Opcode Fuzzy Hash: 4d90e3ed7ad9e3c93dca51ee98be57e6b5441e6a5a97b257e8058c7abd1da392
Instruction Fuzzy Hash: 85F01D31482612BBE7615B94EF88AE67A35BF01712F401015F241508A5DB7ED565DF90

Function 01001C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01001DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01001DE1
WSAGetLastError.WSOCK32 ref: 01001DF2
htons.WSOCK32(?,?,?,?,?), ref: 01001EDB
inet_ntoa.WSOCK32(?), ref: 01001E8C

Part of subcall function 00FE39E8: _strlen.LIBCMT ref: 00FE39F2

Part of subcall function 01003224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00FFEC0C), ref: 01003240

_strlen.LIBCMT ref: 01001F35

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 905959c732127763fe9aaf21229469e571c0e7169a445e44f94da0e999fc9ff9
Instruction ID: d9248fed4f691b2fc7f90b729d4eb4b73a3c4a970737832ed1c06bb91f8e5f50
Opcode Fuzzy Hash: 905959c732127763fe9aaf21229469e571c0e7169a445e44f94da0e999fc9ff9
Instruction Fuzzy Hash: A3B1E130204340AFE725EF28C885E7A7BE5AF85318F54858CF5965B2E2CB75ED42CB91

Function 00F85D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F85D30
GetWindowRect.USER32(?,?), ref: 00F85D71
ScreenToClient.USER32(?,?), ref: 00F85D99
GetClientRect.USER32(?,?), ref: 00F85ED7
GetWindowRect.USER32(?,?), ref: 00F85EF8

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 070347b1b5b6e07b6989ceeb77e862e25f844995be19c087b3bd13c325955bc4
Instruction ID: 467ecce3d2a6edc3cf66cda3648bf265f5efd059243e330b4f6e7ab01c9c389c
Opcode Fuzzy Hash: 070347b1b5b6e07b6989ceeb77e862e25f844995be19c087b3bd13c325955bc4
Instruction Fuzzy Hash: 6EB17935A0064ADBDB14DFA8C981BEEB7F1FF58310F14841AE8A9D7250DB34EA51EB50

Function 00FB01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00FB00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB00D6
__allrem.LIBCMT ref: 00FB00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB010B
__allrem.LIBCMT ref: 00FB0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB0140

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: dd967dc0fedf7faf4e29295e87ae3b04c6ffec3a117871bca88d051111d98b9b
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0581FC72A007069FE724AE69CC41BAB73E9AF42374F24423DF551DB281EB74D904AF50

Function 00FB61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FA82D9,00FA82D9,?,?,?,00FB644F,00000001,00000001,8BE85006), ref: 00FB6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FB644F,00000001,00000001,8BE85006,?,?,?), ref: 00FB62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FB63D8
__freea.LIBCMT ref: 00FB63E5

Part of subcall function 00FB3820: RtlAllocateHeap.NTDLL(00000000,?,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6,?,00F81129), ref: 00FB3852

__freea.LIBCMT ref: 00FB63EE
__freea.LIBCMT ref: 00FB6413

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 277fd6a88b613a92856d61fbc56b1220b8f3037cf717bccf6f5fc3c5a7a83d9d
Instruction ID: 6b23be122217a4e75ae4c1c00097aba9de27e82701deec840f7abf1e90b019d8
Opcode Fuzzy Hash: 277fd6a88b613a92856d61fbc56b1220b8f3037cf717bccf6f5fc3c5a7a83d9d
Instruction Fuzzy Hash: F351C072A00216ABEF259E66DD81EEF77A9EB44760F184629FC05D6240DB3CDC44EE60

Function 0100BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 0100C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100B6AE,?,?), ref: 0100C9B5
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100C9F1
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA68
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0100BD25
RegCloseKey.ADVAPI32(00000000), ref: 0100BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0100BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0100BDF3
RegCloseKey.ADVAPI32(?), ref: 0100BDFF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f31a16eba788db1c6936f6def19f0eb6679008fba29b59d5bc6d2cba84035de8
Instruction ID: e8df63ba2b7b89f93ad08b186760909e7c19c89722f50f1c3b7ae56e1e22ab2c
Opcode Fuzzy Hash: f31a16eba788db1c6936f6def19f0eb6679008fba29b59d5bc6d2cba84035de8
Instruction Fuzzy Hash: 9A81F434208241EFE715EF24C881E6ABBE5FF84308F14859DF5958B2A2DB35ED45CB92

Function 00FDF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00FDF7B9
SysAllocString.OLEAUT32(00000001), ref: 00FDF860
VariantCopy.OLEAUT32(00FDFA64,00000000), ref: 00FDF889
VariantClear.OLEAUT32(00FDFA64), ref: 00FDF8AD
VariantCopy.OLEAUT32(00FDFA64,00000000), ref: 00FDF8B1
VariantClear.OLEAUT32(?), ref: 00FDF8BB

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 8858b3fa74ea99079ab98548defe52276138b8b38445ee930601fc36e8405d17
Instruction ID: 4b6cd6b64985c45f94e7efb81d207d904a61e0bb77de04be9e672d16d38dada5
Opcode Fuzzy Hash: 8858b3fa74ea99079ab98548defe52276138b8b38445ee930601fc36e8405d17
Instruction Fuzzy Hash: 5051C531A40310AADF20AB65DC95F29B3A6EF45310B288467E907DF395DB788C48F757

Function 00FF910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F87620: _wcslen.LIBCMT ref: 00F87625

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00FF94E5
_wcslen.LIBCMT ref: 00FF9506
_wcslen.LIBCMT ref: 00FF952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00FF9585

Strings

X, xrefs: 00FF9412

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: e7827135ea5e5f908b3b206ad5c29f2978aa405992a1de2bb5a8ed4794d26143
Instruction ID: e2e091dcb8a1e237065df9d358c4ea0e532e65814f5d1f04101b96a288c24f11
Opcode Fuzzy Hash: e7827135ea5e5f908b3b206ad5c29f2978aa405992a1de2bb5a8ed4794d26143
Instruction Fuzzy Hash: 5CE1D571908301CFD724EF24C881BAAB7E4BF85314F08856DF9899B2A2DB75DD05DB91

Function 00F9920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

BeginPaint.USER32(?,?,?), ref: 00F99241
GetWindowRect.USER32(?,?), ref: 00F992A5
ScreenToClient.USER32(?,?), ref: 00F992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F992D3
EndPaint.USER32(?,?,?,?,?), ref: 00F99321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00FD71EA

Part of subcall function 00F99339: BeginPath.GDI32(00000000), ref: 00F99357

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0dcd2c35ea8713dccc5907744420f8e355edd973bd3d546f189516bbf4a21bca
Instruction ID: f2ef7251fee1a654f53c3c08357ad463d7f9999d1e93089ac9bf776211a3bf52
Opcode Fuzzy Hash: 0dcd2c35ea8713dccc5907744420f8e355edd973bd3d546f189516bbf4a21bca
Instruction Fuzzy Hash: BA41B371508300AFEB21DF18C884FBB7BB9EB46320F14061DF995872E1D7799845EB61

Function 00FF07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FF080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FF0847
EnterCriticalSection.KERNEL32(?), ref: 00FF0863
LeaveCriticalSection.KERNEL32(?), ref: 00FF08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FF08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FF0921

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 92f2973197f48479cc055cc74637dfd009d4f9fb2ac20939ae5203806c66fb55
Instruction ID: dd5ad6b3d62723cf5af20522ac76e27432343886a8296d0356667875cda8648a
Opcode Fuzzy Hash: 92f2973197f48479cc055cc74637dfd009d4f9fb2ac20939ae5203806c66fb55
Instruction Fuzzy Hash: 9B417E71900209EBEF24AF54DC85AAA7778FF04310F1440A5ED04DA29BDB79DE54EBA4

Function 010181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00FDF3AB,00000000,?,?,00000000,?,00FD682C,00000004,00000000,00000000), ref: 0101824C
EnableWindow.USER32(?,00000000), ref: 01018272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010182D1
ShowWindow.USER32(?,00000004), ref: 010182E5
EnableWindow.USER32(?,00000001), ref: 0101830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0101832F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 9195e3aaf43aab520ad0a1a66623da121cb9966cad8e40b15e1f338d31aeee32
Instruction ID: 874bc26aacbcb9814f17de25eb1afdd344b99de54fefe10a656d53cf380d5250
Opcode Fuzzy Hash: 9195e3aaf43aab520ad0a1a66623da121cb9966cad8e40b15e1f338d31aeee32
Instruction Fuzzy Hash: D941DD34601644EFEB62CF18C489BE57FF0FB09714F1881E6E6984F16AC37AA541CB50

Function 010022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 010022E8

Part of subcall function 00FFE4EC: GetWindowRect.USER32(?,?), ref: 00FFE504

GetDesktopWindow.USER32 ref: 01002312
GetWindowRect.USER32(00000000), ref: 01002319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01002355
GetCursorPos.USER32(?), ref: 01002381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010023DF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 1ea0bd61ecb176adb6606e0e0baaecf1341486b0f3d4f98cb200436ffbbf833c
Instruction ID: 93761171fd8205d54fd0479efbece1f1a39cbfedb8923f5cfa898eacfc8e686f
Opcode Fuzzy Hash: 1ea0bd61ecb176adb6606e0e0baaecf1341486b0f3d4f98cb200436ffbbf833c
Instruction Fuzzy Hash: 8C31C072505305AFE721DF59D848B5BBBE9FF88314F004A19F9C597181DB39EA08CB92

Function 00FE4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FE4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FE4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FE4CEA
_wcslen.LIBCMT ref: 00FE4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FE4D10
_wcsstr.LIBVCRUNTIME ref: 00FE4D1A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 754e01d4f6e0d5c5982a50ada0091e385f28d3c3c724ef9e08f1ea4855521370
Instruction ID: 1d480ea6f1d78a3ae6b1e766ad3dd2e6ccd6a634c450f2d27631eff0d4beded5
Opcode Fuzzy Hash: 754e01d4f6e0d5c5982a50ada0091e385f28d3c3c724ef9e08f1ea4855521370
Instruction Fuzzy Hash: 8D21F9726042407BFB355B3AAD49E7B7B9CDF49760F10402DF805CA192DA79EC40A7A0

Function 00FF581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F83A97,?,?,00F82E7F,?,?,?,00000000), ref: 00F83AC2

_wcslen.LIBCMT ref: 00FF587B
CoInitialize.OLE32(00000000), ref: 00FF5995
CoCreateInstance.OLE32(0101FCF8,00000000,00000001,0101FB68,?), ref: 00FF59AE
CoUninitialize.OLE32 ref: 00FF59CC

Strings

.lnk, xrefs: 00FF5876, 00FF58C1, 00FF5985

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 78cfef82c8ea62a58ba3fb5ca6fff7773bb668f8cea6b168b4a8267bb01ab2cb
Instruction ID: 225ea59e9234e03f6d74aab558a7b40603d2d75754d816e7f5e3fcbe2f98861a
Opcode Fuzzy Hash: 78cfef82c8ea62a58ba3fb5ca6fff7773bb668f8cea6b168b4a8267bb01ab2cb
Instruction Fuzzy Hash: 1AD17771A047059FC714EF14C880A6ABBE1FF89B24F14485DFA899B361D735EC05DB92

Function 00FE175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FE0FCA
Part of subcall function 00FE0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FE0FD6
Part of subcall function 00FE0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FE0FE5
Part of subcall function 00FE0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FE0FEC
Part of subcall function 00FE0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FE1002

GetLengthSid.ADVAPI32(?,00000000,00FE1335), ref: 00FE17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FE17BA
HeapAlloc.KERNEL32(00000000), ref: 00FE17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FE17DA
GetProcessHeap.KERNEL32(00000000,00000000,00FE1335), ref: 00FE17EE
HeapFree.KERNEL32(00000000), ref: 00FE17F5

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d6b650ec47188bb99a6789e8d7307623026951a5ecea10333597c9f184627bd2
Instruction ID: 607b3edb87dfa9314ebe56d428db63aae61b4288b8a55701656dd60e36737e19
Opcode Fuzzy Hash: d6b650ec47188bb99a6789e8d7307623026951a5ecea10333597c9f184627bd2
Instruction Fuzzy Hash: 1C117C32984205EFEB249FA6CD49BAF7BA9FB46765F104118F48197200D73AE944EB60

Function 00FE14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FE14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00FE1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FE1515
CloseHandle.KERNEL32(00000004), ref: 00FE1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FE154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FE1563

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 81efa7ab7f39981544991f524fe1d5950901763de613d99a85afaf95fd1ff9f0
Instruction ID: fedd3fc4857f14b48651d1cc5f1be39b998c292f3bf0ba4101af8e3cbe581ff6
Opcode Fuzzy Hash: 81efa7ab7f39981544991f524fe1d5950901763de613d99a85afaf95fd1ff9f0
Instruction Fuzzy Hash: 1B115972500249ABEF22CF99DE49BDE7BA9FF49714F044014FA05A2190C37ACE60EB60

Function 00FA3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FA3379,00FA2FE5), ref: 00FA3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FA339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FA33B7
SetLastError.KERNEL32(00000000,?,00FA3379,00FA2FE5), ref: 00FA3409

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4f2ffb447bda611715596c71d3e023cd204ed42b447b05cac2184499919546a8
Instruction ID: 9f1a23027430a7995c610978952c56a27d1080bddf0fffee90f08684a838e5a4
Opcode Fuzzy Hash: 4f2ffb447bda611715596c71d3e023cd204ed42b447b05cac2184499919546a8
Instruction Fuzzy Hash: 3D0124F3A0E3117FFB342674BEC9A673A94EB0B3793200229F410802E0EF1A4E017644

Function 00FB2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FB5686,00FC3CD6,?,00000000,?,00FB5B6A,?,?,?,?,?,00FAE6D1,?,01048A48), ref: 00FB2D78
_free.LIBCMT ref: 00FB2DAB
_free.LIBCMT ref: 00FB2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00FAE6D1,?,01048A48,00000010,00F84F4A,?,?,00000000,00FC3CD6), ref: 00FB2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00FAE6D1,?,01048A48,00000010,00F84F4A,?,?,00000000,00FC3CD6), ref: 00FB2DEC
_abort.LIBCMT ref: 00FB2DF2

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d6326ada8b77438f2b0f64625d79dea3262d363954c46743cafae3896b16bd7f
Instruction ID: 37e2e3b1e220139381d115e8a8662c8da0f5c6149c229c9c5f6c20aecec632c5
Opcode Fuzzy Hash: d6326ada8b77438f2b0f64625d79dea3262d363954c46743cafae3896b16bd7f
Instruction Fuzzy Hash: 7AF0283698560027D7A2363BBD0AEDF3569AFCA7B0F240518F86492189EE2DC9017E20

Function 01018A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F99693
Part of subcall function 00F99639: SelectObject.GDI32(?,00000000), ref: 00F996A2
Part of subcall function 00F99639: BeginPath.GDI32(?), ref: 00F996B9
Part of subcall function 00F99639: SelectObject.GDI32(?,00000000), ref: 00F996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01018A4E
LineTo.GDI32(?,00000003,00000000), ref: 01018A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01018A70
LineTo.GDI32(?,00000000,00000003), ref: 01018A80
EndPath.GDI32(?), ref: 01018A90
StrokePath.GDI32(?), ref: 01018AA0

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e1c05022166b0b4180b76bd7217eb0be4c24426accbc9b0b7c5f4532c33a4de2
Instruction ID: e3e8fc3496949a78b1fad5350ab25efe0ca724544473c54435a37bafb27dbbfc
Opcode Fuzzy Hash: e1c05022166b0b4180b76bd7217eb0be4c24426accbc9b0b7c5f4532c33a4de2
Instruction Fuzzy Hash: 82111E7604010CBFEF129F94DC48F9A7FACEB05354F008451FA5596164C77A9D55DFA0

Function 00FE51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FE5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FE5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FE5230
ReleaseDC.USER32(00000000,00000000), ref: 00FE5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FE524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00FE5261

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 01748a58c33900da33e97935e9ddf1655c80fb8ec1b0b43b3a7c3b3eaa14a8e3
Instruction ID: 76aa514c35ec603bf036c9dccfd42b80a9054a3b8384945d0e63ffcb96c24a25
Opcode Fuzzy Hash: 01748a58c33900da33e97935e9ddf1655c80fb8ec1b0b43b3a7c3b3eaa14a8e3
Instruction Fuzzy Hash: B7018F75E40708BBEB109BE69D49E5EBFB8FB48751F044065FA09A7280D675D800CBA0

Function 00F81BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F81BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F81BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F81C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F81C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F81C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F81C22

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e74ee9f84faf82eabb002a28b7d717ab652cae35ede04fd1bcdb169046b6bd33
Instruction ID: c135a61075723070c8ddcf51062984046b39ede11320f0fb61e67f0214aa4124
Opcode Fuzzy Hash: e74ee9f84faf82eabb002a28b7d717ab652cae35ede04fd1bcdb169046b6bd33
Instruction Fuzzy Hash: 520167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00FEEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FEEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FEEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00FEEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FEEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FEEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FEEB75

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5f84ff1282d160748d0e06d61013c1d9382bee8e1918fad1043c8c0bb9e7cba6
Instruction ID: 1a7184eaae60249d0564937fec1add804108ae502842ba73ab1a73344774bc86
Opcode Fuzzy Hash: 5f84ff1282d160748d0e06d61013c1d9382bee8e1918fad1043c8c0bb9e7cba6
Instruction Fuzzy Hash: E8F01D72581158BBE63156529D0DEAB3A7CEBCAB15F000158F641D1084D6A9AA0187B5

Function 00FD7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00FD7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00FD7469
GetWindowDC.USER32(?), ref: 00FD7475
GetPixel.GDI32(00000000,?,?), ref: 00FD7484
ReleaseDC.USER32(?,00000000), ref: 00FD7496
GetSysColor.USER32(00000005), ref: 00FD74B0

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 251c45963483706635c76b87520f92099b29e85850908a907c4b19711682dba8
Instruction ID: 93412c8f9313288e3a88af091826da19048dc179ecdf05dfc383f06e4f281fc4
Opcode Fuzzy Hash: 251c45963483706635c76b87520f92099b29e85850908a907c4b19711682dba8
Instruction Fuzzy Hash: 3D01AD32440215EFEB61AF64DD08BAA7BB6FF08321F650464F955A2190CB3A5E41EB10

Function 00FE1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FE187F
UnloadUserProfile.USERENV(?,?), ref: 00FE188B
CloseHandle.KERNEL32(?), ref: 00FE1894
CloseHandle.KERNEL32(?), ref: 00FE189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FE18A5
HeapFree.KERNEL32(00000000), ref: 00FE18AC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5d824810a9dff88c6a905cbe35fbb8243a0ddc22c4cc04a4996918196c2d35b3
Instruction ID: 6489a5bd910090da09510a1c69696e08825153bc607e75ba9152e57104ba6925
Opcode Fuzzy Hash: 5d824810a9dff88c6a905cbe35fbb8243a0ddc22c4cc04a4996918196c2d35b3
Instruction Fuzzy Hash: 88E0E536484611BBEB115FA1EE0C90ABF3AFF4AB22B108220F26581068CB7BD520DB50

Function 00FEC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F87620: _wcslen.LIBCMT ref: 00F87625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FEC6EE
_wcslen.LIBCMT ref: 00FEC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FEC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FEC7CA

Strings

0, xrefs: 00FEC6AF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 109d7751d86446623470b5dba9a72bc4c80ba98aa955aa15ab05c94ec7512d6c
Instruction ID: d0d9fcee6c19215617e112ac0b156ddde0b2cc211733de3ce378debfb25ec4b7
Opcode Fuzzy Hash: 109d7751d86446623470b5dba9a72bc4c80ba98aa955aa15ab05c94ec7512d6c
Instruction Fuzzy Hash: 5651D371A043809BD7509F2AC845B6B7BE4AF49320F040A2DF995D3190DB74DD46EBD2

Function 0100AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0100AEA3

Part of subcall function 00F87620: _wcslen.LIBCMT ref: 00F87625

GetProcessId.KERNEL32(00000000), ref: 0100AF38
CloseHandle.KERNEL32(00000000), ref: 0100AF67

Strings

<, xrefs: 0100AE6B
@, xrefs: 0100AE72

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 3e7f2702da00c4031efadbd46ceec6b763a8db5de81fd1dd9ecfebbfd03b8a4c
Instruction ID: 1a518f46fbd90fa174245d66aba94ab7c50446e0b1a2d892f82bd15518ae55dc
Opcode Fuzzy Hash: 3e7f2702da00c4031efadbd46ceec6b763a8db5de81fd1dd9ecfebbfd03b8a4c
Instruction Fuzzy Hash: 85714A71A00715DFEB15EF94C884A9EBBF0BF08314F148499E856AB392C779ED45CBA0

Function 00FE719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FE7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FE723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FE724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FE72CF

Strings

DllGetClassObject, xrefs: 00FE7242

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 827b2b82eb04a5f7cbdc0f9c576eb6ddf308358a45b4cec9e8588c44bde7cc17
Instruction ID: 04f0cccccf1601eea667b085dac217dd3b3d63443a6ceeb1cb91411a1e58d900
Opcode Fuzzy Hash: 827b2b82eb04a5f7cbdc0f9c576eb6ddf308358a45b4cec9e8588c44bde7cc17
Instruction Fuzzy Hash: A641BDB1A04305EFDB25DF55C884A9A7BA9EF44310F1080A9BE059F20AD7B5DD00EFA0

Function 01013D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01013E35
IsMenu.USER32(?), ref: 01013E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01013E92
DrawMenuBar.USER32 ref: 01013EA5

Strings

0, xrefs: 01013D89

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 74e800704328111f1eb1822384f40a4f0613d6968b24ca101178f0355b1a46e0
Instruction ID: 4b641d1cb754c339b522f393fabf23f60234eb8b69c138aa296399b5df62074f
Opcode Fuzzy Hash: 74e800704328111f1eb1822384f40a4f0613d6968b24ca101178f0355b1a46e0
Instruction Fuzzy Hash: A1416875A00309EFEB20DF54D884AAABBF9FF49360F044069E985AB284D739E944CF50

Function 00FE1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FE1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FE1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FE1EA9

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

Strings

ListBox, xrefs: 00FE1E25
ComboBox, xrefs: 00FE1DF0

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0c72c958fb1bd06fba4b8cbd329129332ac42e2ec233fd7192c43b343c21a4b2
Instruction ID: 643ca9458c078f4f206f402b33b4a59652db29fd3f52ba10861eaf53a9e21ec1
Opcode Fuzzy Hash: 0c72c958fb1bd06fba4b8cbd329129332ac42e2ec233fd7192c43b343c21a4b2
Instruction Fuzzy Hash: D7214771A00148BFEB14AB76DC49CFFB7B8EF46364B144129F821A71D1DB7D5909AB20

Function 01012F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01012F8D
LoadLibraryW.KERNEL32(?), ref: 01012F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01012FA9
DestroyWindow.USER32(?), ref: 01012FB1

Strings

SysAnimate32, xrefs: 01012F68

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9553e226d9536a04a22ff57c9f4eec58cea806637d8038136c9ae8426a2c16a5
Instruction ID: ff33edffd288a0ea6e20cc9ad562d50542e7316fdcdf541abd0799476de5aa0d
Opcode Fuzzy Hash: 9553e226d9536a04a22ff57c9f4eec58cea806637d8038136c9ae8426a2c16a5
Instruction Fuzzy Hash: DD21CD71200209AFEF214EA8DC84FBB37EDEB49364F20062CFA90D6199D779DC519760

Function 00FA4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FA4D1E,00FB28E9,?,00FA4CBE,00FB28E9,010488B8,0000000C,00FA4E15,00FB28E9,00000002), ref: 00FA4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FA4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00FA4D1E,00FB28E9,?,00FA4CBE,00FB28E9,010488B8,0000000C,00FA4E15,00FB28E9,00000002,00000000), ref: 00FA4DC3

Strings

CorExitProcess, xrefs: 00FA4D98
mscoree.dll, xrefs: 00FA4D86

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 85a69d6e25db7bf79085262c078ee43ac7c13ca08426342dd2a588a86d660d96
Instruction ID: ca7742a31e999728178f0a570effbfa9c9502e0f3f6b03c2046d1d3ba759b5c7
Opcode Fuzzy Hash: 85a69d6e25db7bf79085262c078ee43ac7c13ca08426342dd2a588a86d660d96
Instruction Fuzzy Hash: 0AF0C274A80218BBEB209F90DD49BADBFB4EF45721F0000A8F845A6644CF7A9E40DB90

Function 00FDD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00FDD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FDD3BF
FreeLibrary.KERNEL32(00000000), ref: 00FDD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00FDD3B9
X64, xrefs: 00FDD2A8

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 220f0f0e99bdd54533f8436176362116e959a4df00ae720143ca93a006db86bb
Instruction ID: 5b566e622cb68a211a826c90ac3be52dddad9610a8ee02806402eb256a557995
Opcode Fuzzy Hash: 220f0f0e99bdd54533f8436176362116e959a4df00ae720143ca93a006db86bb
Instruction Fuzzy Hash: 9EF0EC72CC26119BE7751620CC58E5D7325AF11756B5C815BF885E6208D738CD40A782

Function 00F84E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F84EDD,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F84EAE
FreeLibrary.KERNEL32(00000000,?,?,00F84EDD,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F84EA8
kernel32.dll, xrefs: 00F84E94

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 6dea2f3faa78d693215ac99b3141f40ba24e26ecb180d39b9f40b1601331f624
Instruction ID: b4df7fe473c65581504713358bcc2b37085fa6fd260e6d18383071949ee55c78
Opcode Fuzzy Hash: 6dea2f3faa78d693215ac99b3141f40ba24e26ecb180d39b9f40b1601331f624
Instruction Fuzzy Hash: 43E08635E825235BA3316B256818A9B6654AF82B72B050115FC40E6104DB6CDC0152A0

Function 00F84E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FC3CDE,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F84E74
FreeLibrary.KERNEL32(00000000,?,?,00FC3CDE,?,01051418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F84E87

Strings

kernel32.dll, xrefs: 00F84E5B
Wow64RevertWow64FsRedirection, xrefs: 00F84E6E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: ec1dcca079ab0cf73e78278cd033c3bc0cf01819795af62ededb6e4ceb813138
Instruction ID: ba632805ccd99eecc2c0bbce28dca03512e76135669ae3f9171b1b057f4df6e4
Opcode Fuzzy Hash: ec1dcca079ab0cf73e78278cd033c3bc0cf01819795af62ededb6e4ceb813138
Instruction Fuzzy Hash: F0D01235A826329766322B256918ECB6A18BF86B653050525B985E6108CF6DDD0197D0

Function 00FF2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF2C05
DeleteFileW.KERNEL32(?), ref: 00FF2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FF2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF2CC0

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: f9d6ab77ca3977feaf199873d80645bbd965bd60f40219a8c64718abaea698b4
Instruction ID: 63efbfa0b072c59f6edf2671ddf340e0130162fdc95b651eb5c39beffff7478a
Opcode Fuzzy Hash: f9d6ab77ca3977feaf199873d80645bbd965bd60f40219a8c64718abaea698b4
Instruction Fuzzy Hash: E2B161B2D0011DABDF21EFA4CC85EEE7B7DEF49350F1040A6F609E6151EA349A449F61

Function 0100A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0100A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0100A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0100A468
CloseHandle.KERNEL32(?), ref: 0100A63D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: e97c99259ee5418eef4459be85d5f4aa74bf9c30ac6f1ab5b6b84569b89da9db
Instruction ID: 3686f39c44c24248cda4ab5f3d29283618a2652e52fa289ddf36622c9ca61e4e
Opcode Fuzzy Hash: e97c99259ee5418eef4459be85d5f4aa74bf9c30ac6f1ab5b6b84569b89da9db
Instruction Fuzzy Hash: 0EA193716043009FE720DF28DC86F2AB7E5AF88714F14885DF69A9B2D2DB75EC418B91

Function 00FBBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01023700), ref: 00FBBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0105121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00FBBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01051270,000000FF,?,0000003F,00000000,?), ref: 00FBBC36
_free.LIBCMT ref: 00FBBB7F

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FBBD4B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 2bd389b5a8526ba998461be5a0d860dc92578c9b2b43d1a1ed8fb100cbaf3936
Instruction ID: 3ab351e86a78f0ad91b39144555e5672a282184826a33a39838c8a83f835dfee
Opcode Fuzzy Hash: 2bd389b5a8526ba998461be5a0d860dc92578c9b2b43d1a1ed8fb100cbaf3936
Instruction Fuzzy Hash: C9510BB1D04209AFDB20EF66DC81AEEBBB8EF44360B10425AE454D7155EBB59E40EF50

Function 00FEE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FECF22,?), ref: 00FEDDFD

Part of subcall function 00FEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FECF22,?), ref: 00FEDE16

Part of subcall function 00FEE199: GetFileAttributesW.KERNEL32(?,00FECF95), ref: 00FEE19A

lstrcmpiW.KERNEL32(?,?), ref: 00FEE473
MoveFileW.KERNEL32(?,?), ref: 00FEE4AC
_wcslen.LIBCMT ref: 00FEE5EB
_wcslen.LIBCMT ref: 00FEE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00FEE650

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 65943a36e2fe4a84f9915bc7620b3fbc81bee7ea1ec021d4b1e0be426cd8ef5e
Instruction ID: 5d117d81f70aae29c3eadeb1dba78efa017c6c82949a6c2461e26193beb93d34
Opcode Fuzzy Hash: 65943a36e2fe4a84f9915bc7620b3fbc81bee7ea1ec021d4b1e0be426cd8ef5e
Instruction Fuzzy Hash: 885196B24083855BC724EB90DC819DF73ECAF85350F00491EF589D3191EF79A6889766

Function 0100B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 0100C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100B6AE,?,?), ref: 0100C9B5
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100C9F1
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA68
Part of subcall function 0100C998: _wcslen.LIBCMT ref: 0100CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0100BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0100BB63
RegCloseKey.ADVAPI32(?,?), ref: 0100BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0100BBB3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: a2e6108b6e692bab6637d2b5d4efca4a409bbc3011f52983d79dd8eb95d8d88e
Instruction ID: 312f7c78596755738d3f61d0aa14a76e84dcf616bcae22c56128186246cf2fa4
Opcode Fuzzy Hash: a2e6108b6e692bab6637d2b5d4efca4a409bbc3011f52983d79dd8eb95d8d88e
Instruction Fuzzy Hash: DA610334208201AFE325DF14C890E7ABBE4FF85308F14859CF0998B292DB75ED45CB92

Function 00FE8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FE8BCD
VariantClear.OLEAUT32 ref: 00FE8C3E
VariantClear.OLEAUT32 ref: 00FE8C9D
VariantClear.OLEAUT32(?), ref: 00FE8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FE8D3B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 3db55032a7252707c7756a15580455d63fa00fceef59c721464d449fe065927c
Instruction ID: 1fc2ba7b1c912e397c15d915fa47531143d833d4d898d7bea6f717b9aa88f084
Opcode Fuzzy Hash: 3db55032a7252707c7756a15580455d63fa00fceef59c721464d449fe065927c
Instruction Fuzzy Hash: 9F518CB5A00219EFCB10DF59C884AAAB7F5FF89310B118559F909DB354EB34E912CF90

Function 00FF8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FF8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FF8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FF8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FF8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FF8C5F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8ccc3f6639c31785741f84c82e0e157da5c3d3df222b43d9db820f9195ae9f79
Instruction ID: b457215ed9c83d1c8694e97b6631cc10569a40db63e074842f0a31670e9f0656
Opcode Fuzzy Hash: 8ccc3f6639c31785741f84c82e0e157da5c3d3df222b43d9db820f9195ae9f79
Instruction Fuzzy Hash: 47515035A002199FDB14EF54C881EADBBF5FF48314F088058E949AB362CB35ED41DBA0

Function 01008EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 01008F40
GetProcAddress.KERNEL32(00000000,?), ref: 01008FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 01008FEC
GetProcAddress.KERNEL32(00000000,?), ref: 01009032
FreeLibrary.KERNEL32(00000000), ref: 01009052

Part of subcall function 00F9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FF1043,?,7529E610), ref: 00F9F6E6
Part of subcall function 00F9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00FDFA64,00000000,00000000,?,?,00FF1043,?,7529E610,?,00FDFA64), ref: 00F9F70D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: c37e62403c48105f0ffe5bfffbd63c54dfe1ec796b0db3c9c8af93fb79dcb34c
Instruction ID: 70fc0ce73d3112a3c74fae6123e35edc586e50a723224800a23428d70574e999
Opcode Fuzzy Hash: c37e62403c48105f0ffe5bfffbd63c54dfe1ec796b0db3c9c8af93fb79dcb34c
Instruction Fuzzy Hash: 9B515E34A05205DFD716EF68C4848ADBBF1FF49314F0880A9E9499B3A2DB35ED85CB90

Function 01016B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01016C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01016C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01016C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FFAB79,00000000,00000000), ref: 01016C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01016CC7

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 50b9933c4838c458a34e8d3fc4d3f49ee40da2e81661d5db6e174caed99cb48e
Instruction ID: c22f56a399594d57bd843b5224ecbbb06beea76a6700275ae75f5def2bf764aa
Opcode Fuzzy Hash: 50b9933c4838c458a34e8d3fc4d3f49ee40da2e81661d5db6e174caed99cb48e
Instruction Fuzzy Hash: 2141A135A00108AFE7248E68CD54BBA7FE5EB09350F0502A8F995A7298C3BAED41CA40

Function 00FB2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB20C3
_free.LIBCMT ref: 00FB20E3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e6c8f50a3451af0b2a3fb7e419364829a669359c11c13fab982e25c3296aca8
Instruction ID: 400b6f76bcece783d89050dad40d34e1e7be183a82b6a8fb130dd1d31e650adf
Opcode Fuzzy Hash: 5e6c8f50a3451af0b2a3fb7e419364829a669359c11c13fab982e25c3296aca8
Instruction Fuzzy Hash: 2F41E276E00200AFDB20EF79C980A9DB7B5EF89320F154569E515EB355DB31AD01EF80

Function 00F9912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F99141
ScreenToClient.USER32(00000000,?), ref: 00F9915E
GetAsyncKeyState.USER32(00000001), ref: 00F99183
GetAsyncKeyState.USER32(00000002), ref: 00F9919D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 581f06b5a20ce2f053f0c0e0a0893612fd09ff583f7315621e77e212e786bee9
Instruction ID: da26b5f5369d87f7d2a5adf0f69f9537dda5a0347a8ebcf66def6a30e03e1824
Opcode Fuzzy Hash: 581f06b5a20ce2f053f0c0e0a0893612fd09ff583f7315621e77e212e786bee9
Instruction Fuzzy Hash: 2841AF3190820AEBDF15AF68C844BEEB775FB05334F24431AE425A6290D7745990EB51

Function 00FF3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FF38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FF3922
TranslateMessage.USER32(?), ref: 00FF394B
DispatchMessageW.USER32(?), ref: 00FF3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FF3966

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 3afb2c593c39824ae9d56f7851d877bc90d632a38c9aa952fa3f55bb5a495fba
Instruction ID: 62cc494c8aae053b25d3b48acb3320e27541e28f2de6281f4bccd44fc28a25cf
Opcode Fuzzy Hash: 3afb2c593c39824ae9d56f7851d877bc90d632a38c9aa952fa3f55bb5a495fba
Instruction Fuzzy Hash: 8131E971D4434AEEEB35CB34D448BB737A9AF05354F04055DE6A2C21A4E3FD9A84EB11

Function 00FFCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00FFC21E,00000000), ref: 00FFCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00FFCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00FFC21E,00000000), ref: 00FFCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FFC21E,00000000), ref: 00FFCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FFC21E,00000000), ref: 00FFCFF2

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 6239f5a288366332045da7357851ff0e6a22b4b9a605058d4ea1acc6bb0f4a41
Instruction ID: 918804197faae8e02017a141549f05da4585ad296b009ae80d35e3bec78acf6d
Opcode Fuzzy Hash: 6239f5a288366332045da7357851ff0e6a22b4b9a605058d4ea1acc6bb0f4a41
Instruction Fuzzy Hash: E531737190021DAFEB20DFA5CA84ABBB7F9EF04310B10442EF656D2150D735ED41EBA0

Function 00FE1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FE1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00FE19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00FE19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00FE19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00FE19E2

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dc06742104bed5cbdb3aac82756f1ffbb7bd58caf7cc45024ad323dc78cb3538
Instruction ID: 853bf5bab961057bbf7c2cafbb204e0dc890a02423e30d1cb714225f40f2478a
Opcode Fuzzy Hash: dc06742104bed5cbdb3aac82756f1ffbb7bd58caf7cc45024ad323dc78cb3538
Instruction Fuzzy Hash: 2931E272900259EFDB10CFA9C998ADE3BB5FB04324F004225F961A72C1C374E944DB90

Function 01015706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01015745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0101579D
_wcslen.LIBCMT ref: 010157AF
_wcslen.LIBCMT ref: 010157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01015816

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b04964b7c5bb43632ab39a7ee8892886a4e4b0e74bed246aac5375b0901cdee6
Instruction ID: d2c565ff0f1cbe3cce1a7c3a37dd69ecf3a228943542db714a1ae3369cee2e3b
Opcode Fuzzy Hash: b04964b7c5bb43632ab39a7ee8892886a4e4b0e74bed246aac5375b0901cdee6
Instruction Fuzzy Hash: CC21B9719002189BDB209F64DC85AEE7BB8FF86328F004156EA59EF188D7789585CF50

Function 01000930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01000951
GetForegroundWindow.USER32 ref: 01000968
GetDC.USER32(00000000), ref: 010009A4
GetPixel.GDI32(00000000,?,00000003), ref: 010009B0
ReleaseDC.USER32(00000000,00000003), ref: 010009E8

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3f3510f09666317401fa4dc39487d031dc42e6a10b5daa38f44cff1c5ff599cd
Instruction ID: 992916b67256ba7024998d2985d8f0b062c8c91ec567fe072713813c0e0535df
Opcode Fuzzy Hash: 3f3510f09666317401fa4dc39487d031dc42e6a10b5daa38f44cff1c5ff599cd
Instruction Fuzzy Hash: E321A135600204AFE714EF64C984AAEBBE5FF48740F048468F98A97365CB39EC04DB50

Function 00FBCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00FBCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FBCDE9

Part of subcall function 00FB3820: RtlAllocateHeap.NTDLL(00000000,?,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6,?,00F81129), ref: 00FB3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FBCE0F
_free.LIBCMT ref: 00FBCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FBCE31

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 2affc8699f9602bd3f298e5f244066e37a115f334a79598e271ad92616836245
Instruction ID: 3c3ba769e54f6513668fab9bc9b96d6872d136a725154afd699c2424cfb29e4a
Opcode Fuzzy Hash: 2affc8699f9602bd3f298e5f244066e37a115f334a79598e271ad92616836245
Instruction Fuzzy Hash: 44018872A42215BF332125776C48DBB796DDEC6BA13150129F905DB204DA69CD01AAF0

Function 00F99639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F99693
SelectObject.GDI32(?,00000000), ref: 00F996A2
BeginPath.GDI32(?), ref: 00F996B9
SelectObject.GDI32(?,00000000), ref: 00F996E2

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: fca23fa8955772a4aaf73d6f9026e8c46f3dded8dba1da88ee063362e2ad4c2b
Instruction ID: 201575bc7e4c44301a7ab8422a28d4b54b7401af8659660b69de33090c35c4e3
Opcode Fuzzy Hash: fca23fa8955772a4aaf73d6f9026e8c46f3dded8dba1da88ee063362e2ad4c2b
Instruction Fuzzy Hash: 2521C571815305EFFF219F68E9047AA3B79FB11321F11021AF491961D8D3BA9891DF90

Function 00FE5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FE5726
_memcmp.LIBVCRUNTIME ref: 00FE5744
_memcmp.LIBVCRUNTIME ref: 00FE5757
_memcmp.LIBVCRUNTIME ref: 00FE576F
_memcmp.LIBVCRUNTIME ref: 00FE5787

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4abe7a3fdee2c576c70d349f8808c762693043d0e0615a9417e5429fa4b5e798
Instruction ID: a5d39e7ae2ebf2c94adf20cd8bbcbfbd98c8002750a7744986558d2fccb2b9e3
Opcode Fuzzy Hash: 4abe7a3fdee2c576c70d349f8808c762693043d0e0615a9417e5429fa4b5e798
Instruction Fuzzy Hash: 0B01B5A664174EFBD60895139E92FBB735CAB61BACF014024FD049E241F764ED24A2E0

Function 00FB2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FAF2DE,00FB3863,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6), ref: 00FB2DFD
_free.LIBCMT ref: 00FB2E32
_free.LIBCMT ref: 00FB2E59
SetLastError.KERNEL32(00000000,00F81129), ref: 00FB2E66
SetLastError.KERNEL32(00000000,00F81129), ref: 00FB2E6F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 38c094241bdf5c50c0692fb0b5f805aae0b9ca4793922ed23ec8b6a5831b0142
Instruction ID: e183efd626bf8310a65a164d937418d92e4f463a80db6adf3fe9bd3df1d1279b
Opcode Fuzzy Hash: 38c094241bdf5c50c0692fb0b5f805aae0b9ca4793922ed23ec8b6a5831b0142
Instruction Fuzzy Hash: 3C01287668560077E763263B6D85EEF366DBBC53B1B244428F865A2186EF3DCC017E20

Function 00FE000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?,?,00FE035E), ref: 00FE002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?), ref: 00FE0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?), ref: 00FE0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?), ref: 00FE0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FDFF41,80070057,?,?), ref: 00FE0070

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 649d4bab776c3b38c34ff38716f7dc25adf018eb4d823d0e04348b9fab49ba64
Instruction ID: b44c098a6fa621846039909e7c953eef9139a9be659518d2cd16d69022328682
Opcode Fuzzy Hash: 649d4bab776c3b38c34ff38716f7dc25adf018eb4d823d0e04348b9fab49ba64
Instruction Fuzzy Hash: 8101A772640205BFEB205F6ADD44BAA7AEDEF44761F144114FE45D2204DBB9DD809760

Function 00FEE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00FEE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00FEE9A5
Sleep.KERNEL32(00000000), ref: 00FEE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00FEE9B7
Sleep.KERNEL32 ref: 00FEE9F3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4cc1f0205f5ecded0a615e64eccbf6a7c13c85c213b995c629b9a564d500a20e
Instruction ID: 84198e97c9e104bc9ddadadd85d1b334e2dbdfcee22911dd6323035dbcd58a12
Opcode Fuzzy Hash: 4cc1f0205f5ecded0a615e64eccbf6a7c13c85c213b995c629b9a564d500a20e
Instruction Fuzzy Hash: 67018C31D4162DDBDF10AFE6E949AEDBBB8FF09310F000556E542B2245CB399550DBA1

Function 00FE10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FE0B9B,?,?,?), ref: 00FE1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE114D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ce06ba6583f880cc6a476fcbddc1977af2ada55c63f3992a8c16417a23269da8
Instruction ID: 0aa62f4c7c2da2dc9889e3454ebc3b9f3bbc6acaae780d5c84e24405cd49bea0
Opcode Fuzzy Hash: ce06ba6583f880cc6a476fcbddc1977af2ada55c63f3992a8c16417a23269da8
Instruction Fuzzy Hash: CC016D79540305BFEB214F66DD49A6A3B6EFF86360B100414FA81C3350DA7ADC009B60

Function 00FE0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FE0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FE0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FE0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FE0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FE1002

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0f12b9f94067c212ae2decc3948cbf510f8a294137657ff429d7dfdb06e1d5b8
Instruction ID: 90058e65cd77ac95c70d569a448f421c407587b04718db5b83ef6a23b5c038d7
Opcode Fuzzy Hash: 0f12b9f94067c212ae2decc3948cbf510f8a294137657ff429d7dfdb06e1d5b8
Instruction Fuzzy Hash: 12F0C239180341ABE7210FA6DD4DF563B6EFF8A761F110414FA85C7284CA39DC408B60

Function 00FE1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FE102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1062

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7487e1be37586cd6998b3afc873cad626359894f488672169a2b6db6997c43d4
Instruction ID: 46d676aec95885f8207515124088171c28582ce2e836e8db0850cb7b79128802
Opcode Fuzzy Hash: 7487e1be37586cd6998b3afc873cad626359894f488672169a2b6db6997c43d4
Instruction Fuzzy Hash: 69F06239180351ABE7225FA6ED49F563B6EFF8A761F110414FA85C7240CA79D9508B60

Function 00FF030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF0324
CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF0331
CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF033E
CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF034B
CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF0358
CloseHandle.KERNEL32(?,?,?,?,00FF017D,?,00FF32FC,?,00000001,00FC2592,?), ref: 00FF0365

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 81622ea7cb5b9b2e78448129742018577ccf8daec46d11f54acbf7d04b2361b2
Instruction ID: b7303cc416f3a5bb30950ab289a7e821c8206e3aa4ff2b1015c46e55c0063959
Opcode Fuzzy Hash: 81622ea7cb5b9b2e78448129742018577ccf8daec46d11f54acbf7d04b2361b2
Instruction Fuzzy Hash: 9401A272800B199FC7309F66D880822F7F5BF507253158A3FD29652932C7B1A954DF80

Function 00FBD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FBD752

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FBD764
_free.LIBCMT ref: 00FBD776
_free.LIBCMT ref: 00FBD788
_free.LIBCMT ref: 00FBD79A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2adc215e0668531fcf3d2dcd3898e1f5ee7ebd35bdc621a48acf9c3b1c70754
Instruction ID: efa9535809ff424607aa8138d7cd89576f2b876d106b2d93de831a418ad929cc
Opcode Fuzzy Hash: f2adc215e0668531fcf3d2dcd3898e1f5ee7ebd35bdc621a48acf9c3b1c70754
Instruction Fuzzy Hash: 98F068769012047B9765EA5AFAC5CD677EDBB043307A40C09F048D7505DB39FC406F65

Function 00FE5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FE5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FE5C6F
MessageBeep.USER32(00000000), ref: 00FE5C87
KillTimer.USER32(?,0000040A), ref: 00FE5CA3
EndDialog.USER32(?,00000001), ref: 00FE5CBD

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 87fe08e06caaf2f9b54a6aad06686e05b5dee814d7e592cd0bc2cf8bce42eba2
Instruction ID: 7a96187b4be9082a0d626c1c50c5f04bf05bdb30cae0ffcfc886d3e7966d5ebd
Opcode Fuzzy Hash: 87fe08e06caaf2f9b54a6aad06686e05b5dee814d7e592cd0bc2cf8bce42eba2
Instruction Fuzzy Hash: 6E01D130540B04ABFB305B25EE5EFA677B8BF08B09F040559A283A10D1DBF9B984DB91

Function 00FB22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB22BE

Part of subcall function 00FB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000), ref: 00FB29DE
Part of subcall function 00FB29C8: GetLastError.KERNEL32(00000000,?,00FBD7D1,00000000,00000000,00000000,00000000,?,00FBD7F8,00000000,00000007,00000000,?,00FBDBF5,00000000,00000000), ref: 00FB29F0

_free.LIBCMT ref: 00FB22D0
_free.LIBCMT ref: 00FB22E3
_free.LIBCMT ref: 00FB22F4
_free.LIBCMT ref: 00FB2305

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 049684007fe95691d02026dbd6550e1814b25ed39376c4ba9fdbb46a01ecd234
Instruction ID: 07784d4652b979e0ae00d223379c0116b391a246940a2eaf20edcac57bd31039
Opcode Fuzzy Hash: 049684007fe95691d02026dbd6550e1814b25ed39376c4ba9fdbb46a01ecd234
Instruction Fuzzy Hash: 0DF054F48013109BA7A2AF59F94199E3B78F7187A0B000A0AF498D2A6DC73F0411BFE5

Function 00F995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F995D4
StrokeAndFillPath.GDI32(?,?,00FD71F7,00000000,?,?,?), ref: 00F995F0
SelectObject.GDI32(?,00000000), ref: 00F99603
DeleteObject.GDI32 ref: 00F99616
StrokePath.GDI32(?), ref: 00F99631

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ee03a35969b0e524a2dae65677f59d89135b5423dcd96566c695e3fa3b178a62
Instruction ID: e50202f537ea208df8e157d79f1d4eb0da58dd39a9763d086c1895124276710b
Opcode Fuzzy Hash: ee03a35969b0e524a2dae65677f59d89135b5423dcd96566c695e3fa3b178a62
Instruction Fuzzy Hash: 86F031314493049BEB365F59E90C7AA3B71A701332F058218F4D5550E8C77E8951DF64

Function 00FB0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00FB10F9
__freea.LIBCMT ref: 00FB1117

Part of subcall function 00FB1537: _free.LIBCMT ref: 00FB154F

Strings

a/p, xrefs: 00FB11DE
am/pm, xrefs: 00FB117A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4911523b3de26c763970c8d9aeb2d59fb9b7eef56c94d05f14b70d6ab66a4c9f
Instruction ID: 26d5ddcce5afc944df96b5a7dba41fd954ea79af5c1b2feeaa28347c5f870f29
Opcode Fuzzy Hash: 4911523b3de26c763970c8d9aeb2d59fb9b7eef56c94d05f14b70d6ab66a4c9f
Instruction Fuzzy Hash: 63D11532D00206CADB249F6AC865BFEB7F4FF06320FA80159E9019B650E7759D80EF91

Function 01007B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00FA0242: EnterCriticalSection.KERNEL32(0105070C,01051884,?,?,00F9198B,01052518,?,?,?,00F812F9,00000000), ref: 00FA024D
Part of subcall function 00FA0242: LeaveCriticalSection.KERNEL32(0105070C,?,00F9198B,01052518,?,?,?,00F812F9,00000000), ref: 00FA028A

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FA00A3: __onexit.LIBCMT ref: 00FA00A9

__Init_thread_footer.LIBCMT ref: 01007BFB

Part of subcall function 00FA01F8: EnterCriticalSection.KERNEL32(0105070C,?,?,00F98747,01052514), ref: 00FA0202
Part of subcall function 00FA01F8: LeaveCriticalSection.KERNEL32(0105070C,?,00F98747,01052514), ref: 00FA0235

Strings

G, xrefs: 01007C7F
Variable must be of type 'Object'., xrefs: 01007C3A
5, xrefs: 01007C78

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 131b8cb1ea8a67b5690074d7c17844ae0b3a77b32b89f5f122b36915682e1cf1
Instruction ID: da0a9ae3429a694b88a486d699550124423b6ac36fced5458c70cd6b78329a2a
Opcode Fuzzy Hash: 131b8cb1ea8a67b5690074d7c17844ae0b3a77b32b89f5f122b36915682e1cf1
Instruction Fuzzy Hash: 5D918F71A00209EFEB16EF58D890DADB7B1FF45304F04809DF9865B291DB79AE41CB51

Function 00FE2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FE21D0,?,?,00000034,00000800,?,00000034), ref: 00FEB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FE2760

Part of subcall function 00FEB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FE21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00FEB3F8

Part of subcall function 00FEB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00FEB355
Part of subcall function 00FEB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FE2194,00000034,?,?,00001004,00000000,00000000), ref: 00FEB365
Part of subcall function 00FEB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FE2194,00000034,?,?,00001004,00000000,00000000), ref: 00FEB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FE27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FE281A

Strings

@, xrefs: 00FE2832

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3fa6c3312649f31cf08643f79a72a3e70e9a5c2a7329d72a9e48ae5541586549
Instruction ID: 57ed32bf5fe704099e99703a9546ef27ca9ecf44decb9574bc0d278edf509007
Opcode Fuzzy Hash: 3fa6c3312649f31cf08643f79a72a3e70e9a5c2a7329d72a9e48ae5541586549
Instruction Fuzzy Hash: 8C413C72D00218AFDB10DFA5CD86AEEBBB8EF09310F004095FA55B7181DB756E45DBA1

Function 00FB172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00FB1769
_free.LIBCMT ref: 00FB1834
_free.LIBCMT ref: 00FB183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00FB1760, 00FB1767, 00FB1796, 00FB17CE

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 179deccf77ad450ce654871619fef9020a9ecb23b5b565fe9d47d8603ee57281
Instruction ID: e93fe84f33fd77e8ae6bc028c5f4a9886e0a7dc9b495c5c74c00fe5c96d876ff
Opcode Fuzzy Hash: 179deccf77ad450ce654871619fef9020a9ecb23b5b565fe9d47d8603ee57281
Instruction Fuzzy Hash: F6316175E40218ABDB21DF9A9895EDFBBFCFB85360B644166F804D7201DA748A40EF90

Function 00FEC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FEC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00FEC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01051990,01225CF0), ref: 00FEC395

Strings

0, xrefs: 00FEC2DF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: a8727a982a8c7165b79a9231f263872a2666dc2319a1c571c9b682367441f753
Instruction ID: ab1e982cbd5d66af0a1bdc3228fa71fea2a70a5d92c16a0f7f839187a878efe5
Opcode Fuzzy Hash: a8727a982a8c7165b79a9231f263872a2666dc2319a1c571c9b682367441f753
Instruction Fuzzy Hash: 1641C3316043819FD720DF26DC44F5ABBE8AF85320F04861DF9A5972D1D774E905EBA2

Function 01014416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0101CC08,00000000,?,?,?,?), ref: 010144AA
GetWindowLongW.USER32 ref: 010144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010144D7

Strings

SysTreeView32, xrefs: 0101447C

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 17f5a0b2861b9659a8b3eaa08951f671725a79df553299569f3a79ee87fabd72
Instruction ID: 79be8c41981d23cca52322fd8478d1d2368a5e4f949b110995c5e1b7b66294c7
Opcode Fuzzy Hash: 17f5a0b2861b9659a8b3eaa08951f671725a79df553299569f3a79ee87fabd72
Instruction Fuzzy Hash: 6031AD71240205AFEF619E38DC45BEA7BA9EB08334F204725F9B5D21E5DB78E8509B50

Function 0100304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0100335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01003077,?,?), ref: 01003378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0100307A
_wcslen.LIBCMT ref: 0100309B
htons.WSOCK32(00000000,?,?,00000000), ref: 01003106

Strings

255.255.255.255, xrefs: 01003095, 0100309A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 746285b0630b1039c2d077f0f34c17619d36a84ae130bfdb701eabbded104f33
Instruction ID: c2806a45eb9753af2fc7be81a02aaf69a81265579772eefbccb08c1d3d76c0ec
Opcode Fuzzy Hash: 746285b0630b1039c2d077f0f34c17619d36a84ae130bfdb701eabbded104f33
Instruction Fuzzy Hash: 7331C1352042019FE722CF28C595AAA7BF0FF14314F148099E9958F3D2D776E941C760

Function 01013EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01013F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01013F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 01013F78

Strings

SysMonthCal32, xrefs: 01013F0B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3a418ff386ed73066a3b96c71bfd08b61f9d5e7d7df24ca7479317bd80345735
Instruction ID: 2fca1668ee550d72762b546d31ba65ef18b3ad99edb6327e243a1d67688f94b5
Opcode Fuzzy Hash: 3a418ff386ed73066a3b96c71bfd08b61f9d5e7d7df24ca7479317bd80345735
Instruction Fuzzy Hash: 97219132600219BFEF229E54DC46FEA3BB5FB48724F110258FA956B1C4D6B9E854CB90

Function 01014653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01014705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01014713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0101471A

Strings

msctls_updown32, xrefs: 01014684

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c5ea19395fd917fef92d24afdec16bd805b774ff685830cc03db8e9b25265b60
Instruction ID: 2ae7d9f4d5ac25614875126e6ea2ad7ebc823f504e3181bf71b298076d90f4a2
Opcode Fuzzy Hash: c5ea19395fd917fef92d24afdec16bd805b774ff685830cc03db8e9b25265b60
Instruction Fuzzy Hash: 382160B5600209AFEB11DF68DCC1DA737EDEB4A798B040459FA40DB265CB79EC11DB60

Function 00FE95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FE961D

Strings

#requireadmin, xrefs: 00FE95D9
#notrayicon, xrefs: 00FE95B7
#OnAutoItStartRegister, xrefs: 00FE95F3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 1bc501321ffc9e2fd22bda6e40acd771ad288bbc758f4ce3673516bfe75f7f3e
Instruction ID: 2dce648fd734a12faf3cd1cea79635e3650eb189c2389362bf21c6c9e0efb823
Opcode Fuzzy Hash: 1bc501321ffc9e2fd22bda6e40acd771ad288bbc758f4ce3673516bfe75f7f3e
Instruction Fuzzy Hash: 1A216B7260869166C331BB26DC02FBB73D89F51310F14442AF94597041EBD89D45E3B1

Function 010137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01013840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01013850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01013876

Strings

Listbox, xrefs: 0101380F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 28cbb0448a90398ff784e54e9b1edafdf3a42126d4644bc296cc08d1c96c1658
Instruction ID: ba69eba6c70ad4c3d66318166053d88a0f6e3dc855152ec1d7c0258ba245eb1a
Opcode Fuzzy Hash: 28cbb0448a90398ff784e54e9b1edafdf3a42126d4644bc296cc08d1c96c1658
Instruction Fuzzy Hash: 8421D7726002187BEF228F58CC41FBB37AEFF89760F108164F9809B194C679DC518790

Function 00FF49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FF4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FF4A5C
SetErrorMode.KERNEL32(00000000,?,?,0101CC08), ref: 00FF4AD0

Strings

%lu, xrefs: 00FF4A6F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d4bd75f9f967e887122bcf20e51f35dc8ece242e05e3364a0fc24d64f75c198d
Instruction ID: 30aec93f39265bb9973f5741722879c460770641affa9c6139ac5ad0a25aa77a
Opcode Fuzzy Hash: d4bd75f9f967e887122bcf20e51f35dc8ece242e05e3364a0fc24d64f75c198d
Instruction Fuzzy Hash: E1319171A40109AFDB10DF54C981EAA7BF8EF09308F1480A8F909DF262D779ED45DB61

Function 010141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0101424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01014264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01014271

Strings

msctls_trackbar32, xrefs: 01014226

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 35a2491decd2e26539196b2544eaec548c0d948da663914ad4dcc479624eb9f9
Instruction ID: 2843e8f49e78ea164d3ee5cf5b1eb98db6c4eb0e5abef0222b0f22094b7593ea
Opcode Fuzzy Hash: 35a2491decd2e26539196b2544eaec548c0d948da663914ad4dcc479624eb9f9
Instruction Fuzzy Hash: FC11C271240248BEEF315E69CC46FEB3BECEF89B64F110524FA95E60A4D376D8519B20

Function 00FE2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F86B57: _wcslen.LIBCMT ref: 00F86B6A

Part of subcall function 00FE2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FE2DC5
Part of subcall function 00FE2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE2DD6
Part of subcall function 00FE2DA7: GetCurrentThreadId.KERNEL32 ref: 00FE2DDD
Part of subcall function 00FE2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FE2DE4

GetFocus.USER32 ref: 00FE2F78

Part of subcall function 00FE2DEE: GetParent.USER32(00000000), ref: 00FE2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00FE2FC3
EnumChildWindows.USER32(?,00FE303B), ref: 00FE2FEB

Strings

%s%d, xrefs: 00FE2FFF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 99f67ed4b9ab045f467541d2a2c15e0d5ff1e3620ff11ff37f6ddd377dc0a593
Instruction ID: dba69f03852cf2d986228a548f7187dd836a6c8aeac4af6ca759dcb7f1b2c3da
Opcode Fuzzy Hash: 99f67ed4b9ab045f467541d2a2c15e0d5ff1e3620ff11ff37f6ddd377dc0a593
Instruction Fuzzy Hash: 0C11E4B16002456BDF507F718C89EEE376AAF84318F044075FA09DB143EE389909AB60

Function 01015882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010158EE
DrawMenuBar.USER32(?), ref: 010158FD

Strings

0, xrefs: 0101588F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: fb3d2e49a8c427de2d6d7acd7becf0328033e39d147dcac4d06acd88785eeaef
Instruction ID: 68e9a51af2ce2434c05f99cd688aa2a3adde26a833821cb98a19bd3bc97ea020
Opcode Fuzzy Hash: fb3d2e49a8c427de2d6d7acd7becf0328033e39d147dcac4d06acd88785eeaef
Instruction Fuzzy Hash: 9D0188315002189FEB619F15DC44BAFBBB5FF86364F008095F889DA155DB388684DF21

Function 00FE007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c64d6db9f21bc1f8bd1c401970cf012a62992dae983d13b09d6bcd928e19850
Instruction ID: 1cb8ce0aad8f9cd326da99d2928df539abd799a46ea60c37c12221b1f27de480
Opcode Fuzzy Hash: 6c64d6db9f21bc1f8bd1c401970cf012a62992dae983d13b09d6bcd928e19850
Instruction Fuzzy Hash: C4C16A75A0024AEFDB14CFA5C884BAEB7B5FF48314F208598E505EB251CB71EE81DB90

Function 00FB3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FB3F0B
__alldvrm.LIBCMT ref: 00FB410C
__alldvrm.LIBCMT ref: 00FB412E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1c2fedcb1e3fad0668ecde056187d21f1c8a6184fa5d4241a044696a57457ae4
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 3FA14872E003869FDB16DE19CD917FEBBE4EF613A0F14416DE5859B282C238A941EF50

Function 0100342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01003459
CoUninitialize.OLE32 ref: 01003463
VariantInit.OLEAUT32(?), ref: 0100346E
VariantClear.OLEAUT32(?), ref: 0100371B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 3cc52fbd5f024aa999fff024ed45213cedc09d4a3a9f067df28b658d692fa3e2
Instruction ID: b8f04d08e4456220a8ac7aacea46e9434148a78d7985e44c3ee40c5ac375bb22
Opcode Fuzzy Hash: 3cc52fbd5f024aa999fff024ed45213cedc09d4a3a9f067df28b658d692fa3e2
Instruction Fuzzy Hash: 9AA15D756043009FD712EF28C885A6ABBE5FF88714F048859F9899F3A2DB35ED01CB91

Function 00FE0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0101FC08,?), ref: 00FE05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0101FC08,?), ref: 00FE0608
CLSIDFromProgID.OLE32(?,?,00000000,0101CC40,000000FF,?,00000000,00000800,00000000,?,0101FC08,?), ref: 00FE062D
_memcmp.LIBVCRUNTIME ref: 00FE064E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6ace6f63c94851e568d67dea472d0dd3e63b2fddf658be7b79ccaad01d7279e8
Instruction ID: 17546bbb44dd399b4bc6f476ba3dc4311c6894b4c0e2e3b703205fe30eca5544
Opcode Fuzzy Hash: 6ace6f63c94851e568d67dea472d0dd3e63b2fddf658be7b79ccaad01d7279e8
Instruction Fuzzy Hash: 53813971A00209EFCB04DF94C984EEEB7B9FF89315F244158E506AB250DB75AE46DF60

Function 0100A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0100A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0100A6BA

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Process32NextW.KERNEL32(00000000,?), ref: 0100A79C
CloseHandle.KERNEL32(00000000), ref: 0100A7AB

Part of subcall function 00F9CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00FC3303,?), ref: 00F9CE8A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 5a8f6900ab25555f0bb9ca34b03eb6bab0f1a7d708b1dd1b36916cb3500f1d8d
Instruction ID: 089d29b7b33a654ec9bfc0a18cb0a42654afb88d688ced576df912479044f959
Opcode Fuzzy Hash: 5a8f6900ab25555f0bb9ca34b03eb6bab0f1a7d708b1dd1b36916cb3500f1d8d
Instruction Fuzzy Hash: BA515C71608301AFE710EF24CC86A6BBBE8FF89754F40891DF58597291EB35D904DB92

Function 00FC1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FC14C0

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ffb5f37c8e7366377198cb844894af50288b10c33368dc0c4701fd5ab2640b18
Instruction ID: 418da5ef48fd8959dc257b062bc351fa9a8bea58c2be8300f8be3fd8cb56ada8
Opcode Fuzzy Hash: ffb5f37c8e7366377198cb844894af50288b10c33368dc0c4701fd5ab2640b18
Instruction Fuzzy Hash: 42415D71900102ABDB29FAF98D47FAE3AE5FF43370F144629F419D6193E63C48217661

Function 01016278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 010162E2
ScreenToClient.USER32(?,?), ref: 01016315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01016382

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 233a2cd7585d33e96be01633f2ea593d30b284ff9173894fe29c14fb2af86250
Instruction ID: 9bc80ffe8d1b9b94655d5927732736106eeb5fb97bfcc80694a77d2c3af98fe5
Opcode Fuzzy Hash: 233a2cd7585d33e96be01633f2ea593d30b284ff9173894fe29c14fb2af86250
Instruction Fuzzy Hash: 67518E74A00209EFDF21DF58C880AAE7BF5FF45360F108199F89497295D77AE941CB50

Function 01001AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01001AFD
WSAGetLastError.WSOCK32 ref: 01001B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01001B8A
WSAGetLastError.WSOCK32 ref: 01001B94

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 169044488af5f8ff7ea2819b3dd3ad94a14f2b3979d9cc7570e8ea72d7592975
Instruction ID: 6fcb68c1ac3c3d305a15587e269114eab06c9805ee430aa0817c76ac8ae360b0
Opcode Fuzzy Hash: 169044488af5f8ff7ea2819b3dd3ad94a14f2b3979d9cc7570e8ea72d7592975
Instruction Fuzzy Hash: 7C41B334640600AFF721AF28C886F6977E5AF44718F548488FA5A9F7C2D776DD41CB90

Function 00FBB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bee8ba0a9f6c6379a3e6ebd330533409251dea83d824170d2547c5a30f1a29
Instruction ID: 47e47f66ce000f3b1d661fecc5b92edc84b79a3c635a52cc35abcd5f878c1087
Opcode Fuzzy Hash: 52bee8ba0a9f6c6379a3e6ebd330533409251dea83d824170d2547c5a30f1a29
Instruction Fuzzy Hash: B2410A71A00704EFD724DF79CC41BAA7BE9FB85720F10462EF145DB282D7B5A9019B90

Function 00FF56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FF5783
GetLastError.KERNEL32(?,00000000), ref: 00FF57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FF57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FF57FA

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8f3dd6c239897c31b36ef8f46782d4451ab80d176751d4612e43526940c7f151
Instruction ID: c6056ed78a87cba101b3cc8ac617c80f9e91d87a387a80662f42af1f2b696f65
Opcode Fuzzy Hash: 8f3dd6c239897c31b36ef8f46782d4451ab80d176751d4612e43526940c7f151
Instruction Fuzzy Hash: 0D414D35600614DFCB10EF15C545A5DBBE1FF49720B188488E95A9F366CB39FD00EBA1

Function 00FBD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FA6D71,00000000,00000000,00FA82D9,?,00FA82D9,?,00000001,00FA6D71,8BE85006,00000001,00FA82D9,00FA82D9), ref: 00FBD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FBD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FBD9AB
__freea.LIBCMT ref: 00FBD9B4

Part of subcall function 00FB3820: RtlAllocateHeap.NTDLL(00000000,?,01051444,?,00F9FDF5,?,?,00F8A976,00000010,01051440,00F813FC,?,00F813C6,?,00F81129), ref: 00FB3852

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6823ebdaea6ef6753d970d38cb97289088a688fc6ce672ec273b4127e2768f28
Instruction ID: 7ce826119543983645742a123f2fce948a9d65f75747e2b1166970b4c9c6133e
Opcode Fuzzy Hash: 6823ebdaea6ef6753d970d38cb97289088a688fc6ce672ec273b4127e2768f28
Instruction Fuzzy Hash: 3031CD72A0020AABDF24DF66DC81EEE7BA5EB41320F054168FC04D7250EB39DD50EBA1

Function 010152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01015352
GetWindowLongW.USER32(?,000000F0), ref: 01015375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01015382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010153A8

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e04ab493295990ae51fdc38eabe7621ddbf6e2112f587dfbeca86981e271d2b4
Instruction ID: 17917a34760a3412c8fda538652b736c7b9d4dbf89c0dd999d894f63fd36dca7
Opcode Fuzzy Hash: e04ab493295990ae51fdc38eabe7621ddbf6e2112f587dfbeca86981e271d2b4
Instruction Fuzzy Hash: 7E31C434A55208EFFB748E18CC05BE93BA5AB86310F488142FAD09B1D9C7FD99409B42

Function 00FEAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00FEABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FEAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FEAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00FEACC6

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4190cac5a2a7348dafe06619ea7353b17e425cf2873b553852e5c15d8fcace5b
Instruction ID: 2fdc278eda542ddfc30c0b0d7aae412da7bb550ce3da955aab1493aaa24e2857
Opcode Fuzzy Hash: 4190cac5a2a7348dafe06619ea7353b17e425cf2873b553852e5c15d8fcace5b
Instruction Fuzzy Hash: 7E313D30D447986FFF35CA6E8C047FE7B656B89320F24471AE485521D0C379E985A753

Function 01017674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0101769A
GetWindowRect.USER32(?,?), ref: 01017710
PtInRect.USER32(?,?,01018B89), ref: 01017720
MessageBeep.USER32(00000000), ref: 0101778C

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 68b8c6febcf4d38be83633bc4ef3af708599ea69b916e1cbc6a31900ade3728a
Instruction ID: 81aeee480d1d13ccad5a1e35e2bacb9e2763aeae6051d59b1dfdce075bf7840e
Opcode Fuzzy Hash: 68b8c6febcf4d38be83633bc4ef3af708599ea69b916e1cbc6a31900ade3728a
Instruction Fuzzy Hash: BB419F34601215EFDB12CF58C484FA9BBF5FF49314F1541A8E5949B259C739E941CF90

Function 010116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010116EB

Part of subcall function 00FE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE3A57
Part of subcall function 00FE3A3D: GetCurrentThreadId.KERNEL32 ref: 00FE3A5E
Part of subcall function 00FE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FE25B3), ref: 00FE3A65

GetCaretPos.USER32(?), ref: 010116FF
ClientToScreen.USER32(00000000,?), ref: 0101174C
GetForegroundWindow.USER32 ref: 01011752

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4dc26a7c998b47ae0534b0e70f6d3e564ee307f4a6a3f7c452655e0aeb70ab50
Instruction ID: 76279eab08da634d30b0b865d78d258d513b0b2a17de3ead12569f3f69d2ee41
Opcode Fuzzy Hash: 4dc26a7c998b47ae0534b0e70f6d3e564ee307f4a6a3f7c452655e0aeb70ab50
Instruction Fuzzy Hash: 98315D75D00249AFDB04EFA9C8858EEBBF9EF48304B5080A9E555E7211D739DE45CBA0

Function 00FEDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00F87620: _wcslen.LIBCMT ref: 00F87625

_wcslen.LIBCMT ref: 00FEDFCB
_wcslen.LIBCMT ref: 00FEDFE2
_wcslen.LIBCMT ref: 00FEE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00FEE018

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 2091b23de8492101d66f668794c0851e06f927e1e86f6ae7aad91ec50eb6d2ad
Instruction ID: 348fbd0b686d6b2a6ba6001df4db71c9acfa6b1182921dd40cd09560f0ad4d2a
Opcode Fuzzy Hash: 2091b23de8492101d66f668794c0851e06f927e1e86f6ae7aad91ec50eb6d2ad
Instruction Fuzzy Hash: 3321D171D00214AFCB20EFA9DD81BAEB7F8EF8A760F144065E905FB245D6749E409BA1

Function 01018FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

GetCursorPos.USER32(?), ref: 01019001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FD7711,?,?,?,?,?), ref: 01019016
GetCursorPos.USER32(?), ref: 0101905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FD7711,?,?,?), ref: 01019094

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 87f8f476c2fe0fbcb31709a07e520386ba01ac84a39385b83ee9f24f47948417
Instruction ID: 888855a708bc033091f75734c6aca953ebd0b0db471d90f3d94a244e542b1142
Opcode Fuzzy Hash: 87f8f476c2fe0fbcb31709a07e520386ba01ac84a39385b83ee9f24f47948417
Instruction Fuzzy Hash: E3219135600118FFEB66CF98C868EFA7BF9EB89354F044095FA8547155C33A9990DB60

Function 00FED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0101CB68), ref: 00FED2FB
GetLastError.KERNEL32 ref: 00FED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0101CB68), ref: 00FED376

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 675707536f1a22143d222f2b15444c93071410382e1585b4b45b1debaf13d18e
Instruction ID: bccbfa915aace8f73e8c19bfdd7fe9f938ac360fa2c46a823cadc0ac4ba599af
Opcode Fuzzy Hash: 675707536f1a22143d222f2b15444c93071410382e1585b4b45b1debaf13d18e
Instruction Fuzzy Hash: 9A21D1709082419F8310EF29C9808AEB7E8EF56328F504A1DF499C72E1D735D905EB93

Function 00FE1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FE102A
Part of subcall function 00FE1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1036
Part of subcall function 00FE1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1045
Part of subcall function 00FE1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE104C
Part of subcall function 00FE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FE15BE
_memcmp.LIBVCRUNTIME ref: 00FE15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE1617
HeapFree.KERNEL32(00000000), ref: 00FE161E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 13fe9b7764b2037cf573a5d83c8f9b9e7ac48d6e1dd1e851349c9f160158e261
Instruction ID: 8bf5175bad1e868a10abf99424f3b25fcbe314f04679ff3009311b824fae33c7
Opcode Fuzzy Hash: 13fe9b7764b2037cf573a5d83c8f9b9e7ac48d6e1dd1e851349c9f160158e261
Instruction Fuzzy Hash: 2721AF71E40208EFEF10DFA6C945BEEB7B8FF45354F084459E445AB240E735AA05EBA0

Function 01012782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0101280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01012824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01012832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01012840

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d93ba6b0bd86c85c3cbc57a566b5b7224a33182a682c0f7853a8e21312c8f0fc
Instruction ID: c79f21c295b901f5b25bb00a0a205356d201134e587fb11f116aa77386553ea7
Opcode Fuzzy Hash: d93ba6b0bd86c85c3cbc57a566b5b7224a33182a682c0f7853a8e21312c8f0fc
Instruction Fuzzy Hash: FB21B331205511AFE714EB24C844FAA7B95BF45324F248158F9A68B6D6C77AEC82C7D0

Function 00FE78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00FE790A,?,000000FF,?,00FE8754,00000000,?,0000001C,?,?), ref: 00FE8D8C
Part of subcall function 00FE8D7D: lstrcpyW.KERNEL32(00000000,?,?,00FE790A,?,000000FF,?,00FE8754,00000000,?,0000001C,?,?,00000000), ref: 00FE8DB2
Part of subcall function 00FE8D7D: lstrcmpiW.KERNEL32(00000000,?,00FE790A,?,000000FF,?,00FE8754,00000000,?,0000001C,?,?), ref: 00FE8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00FE8754,00000000,?,0000001C,?,?,00000000), ref: 00FE7923
lstrcpyW.KERNEL32(00000000,?,?,00FE8754,00000000,?,0000001C,?,?,00000000), ref: 00FE7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FE8754,00000000,?,0000001C,?,?,00000000), ref: 00FE7984

Strings

cdecl, xrefs: 00FE797B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 938ca875bf198a7e19d67bcf7129b8c0ac333abef651f01c70d8c1cfbfcb47b5
Instruction ID: eb128dd11e63ed556f35b74f15dc989bacfe2315478abca7fe57d2abc7b62c6c
Opcode Fuzzy Hash: 938ca875bf198a7e19d67bcf7129b8c0ac333abef651f01c70d8c1cfbfcb47b5
Instruction Fuzzy Hash: 2D11063A200381ABDB256F36CC44E7B77A5FF45390B10402AF946C7265EB36D801E751

Function 01017CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01017D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01017D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01017D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FFB7AD,00000000), ref: 01017D6B

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 7dc932ac6591ebcbb28f81af51537494156425686a6b482d46e5cf03b6298760
Instruction ID: 5b414b30f1dab75a39c11c117373cf88a1516e29634427da6498fc64090ddfb3
Opcode Fuzzy Hash: 7dc932ac6591ebcbb28f81af51537494156425686a6b482d46e5cf03b6298760
Instruction Fuzzy Hash: D611D232200619AFDB609F2CCC04A6A3FF5BB45364B514768F9B5C72E8D739C950CB40

Function 01015660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010156BB
_wcslen.LIBCMT ref: 010156CD
_wcslen.LIBCMT ref: 010156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01015816

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 170dd78e99eaa3b5b37487730501f07d1946cc868c6240ef6a2f829681c7fe35
Instruction ID: 287533f4006d837d8274d48ab0a0a401b70ca1307a9d171aa58ca71620eb188a
Opcode Fuzzy Hash: 170dd78e99eaa3b5b37487730501f07d1946cc868c6240ef6a2f829681c7fe35
Instruction Fuzzy Hash: B2110A7164020496EF209F65DC80AEF77ACEF8B368F004466FA85DE089DB7CD540CBA0

Function 00FB1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae22428ea4820c2699f2647545cd3a72b970bbef1827c639674d8e85d582feb7
Instruction ID: b3bb51a19319788c621c51bc97f508d03a7f45d62ac545d406a3e05dc9a78b45
Opcode Fuzzy Hash: ae22428ea4820c2699f2647545cd3a72b970bbef1827c639674d8e85d582feb7
Instruction Fuzzy Hash: DA01D6B26066167EF721257A6CD0FA7761CEF457B8F700325F521511C5DB69CC007970

Function 00FE1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FE1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE1A8A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 463477f2570ef617a9aaf878eaaa3821ce057a3a5e31db8bdc3a2a6dcacd5188
Instruction ID: fe6f426a4d36b5a1cfe4f7c459c48c1bc7b57b458dba720dc32db6ccb4f8730b
Opcode Fuzzy Hash: 463477f2570ef617a9aaf878eaaa3821ce057a3a5e31db8bdc3a2a6dcacd5188
Instruction Fuzzy Hash: 91113C3AD01219FFEB10DBA6CD85FADBB78FB08750F2000A1E600B7290D6756E50EB94

Function 00FEE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FEE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00FEE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FEE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FEE24D

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ee540bbdea83d31ac0d3e0004fc2d0a7a83fbd87815170053cc32cc06d3ff466
Instruction ID: 167803db273b1f0bbc205d7b75c9550075b3689eaf22d28e47f4d631f10f5697
Opcode Fuzzy Hash: ee540bbdea83d31ac0d3e0004fc2d0a7a83fbd87815170053cc32cc06d3ff466
Instruction Fuzzy Hash: 9B112B76D04354BBD7219FA8AC05B9F7FACAB45320F008215F954D3285D2B9CD0487A0

Function 00FAD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00FACFF9,00000000,00000004,00000000), ref: 00FAD218
GetLastError.KERNEL32 ref: 00FAD224
__dosmaperr.LIBCMT ref: 00FAD22B
ResumeThread.KERNEL32(00000000), ref: 00FAD249

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 37396b5634af6d2de3f2c1d4edfa55edd917e2e1fbdc84f81d27ab4f8a0199ea
Instruction ID: 441ef908479e5137c9a4cb3e2c95bf1b0c05634cfb58b3d24adf6e3686195ce2
Opcode Fuzzy Hash: 37396b5634af6d2de3f2c1d4edfa55edd917e2e1fbdc84f81d27ab4f8a0199ea
Instruction Fuzzy Hash: 4701F9F68451047BD7216BA5DC09BAE7AADDF83330F104219F926965D0DF75C901E7A0

Function 01019EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F99BB2

GetClientRect.USER32(?,?), ref: 01019F31
GetCursorPos.USER32(?), ref: 01019F3B
ScreenToClient.USER32(?,?), ref: 01019F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 01019F7A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7b80b70c68de7f43b96d129b70c96cbbe9a629b94d0d55750a1bc0bbc976293e
Instruction ID: 73d699f2e49e50a8755ed3de2c7caa39fae1317bb566ee4ede977cb553292f29
Opcode Fuzzy Hash: 7b80b70c68de7f43b96d129b70c96cbbe9a629b94d0d55750a1bc0bbc976293e
Instruction Fuzzy Hash: 06115A3290021AFBEB10DF68C8559EE7BB8FB45315F000459F981E3144D339FA81CBA1

Function 00F8600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F8604C
GetStockObject.GDI32(00000011), ref: 00F86060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8606A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: ffba58e76218f4f8657e9f8d4b814066d70f386acc12b0d84597192f929f7239
Instruction ID: e62b0a326f6a92e7dca0226f7d790fc8863ab1d59f36d53afb8bcc852247b347
Opcode Fuzzy Hash: ffba58e76218f4f8657e9f8d4b814066d70f386acc12b0d84597192f929f7239
Instruction Fuzzy Hash: 3911AD72501508BFEF225FA48C44FEABB69FF083A4F000205FA0492100C73BDC60EBA0

Function 00FA3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00FA3B56

Part of subcall function 00FA3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FA3AD2
Part of subcall function 00FA3AA3: ___AdjustPointer.LIBCMT ref: 00FA3AED

_UnwindNestedFrames.LIBCMT ref: 00FA3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FA3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00FA3BA4

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 9cb3fd379d20401862ab825dc229fcd493bafa54dc8765dd14c4f76a77480ecb
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C70140B2500148BBDF115E95DC42EEB7F6EFF8A754F044014FE4856121C776E961EBA0

Function 00FB3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F813C6,00000000,00000000,?,00FB301A,00F813C6,00000000,00000000,00000000,?,00FB328B,00000006,FlsSetValue), ref: 00FB30A5
GetLastError.KERNEL32(?,00FB301A,00F813C6,00000000,00000000,00000000,?,00FB328B,00000006,FlsSetValue,01022290,FlsSetValue,00000000,00000364,?,00FB2E46), ref: 00FB30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FB301A,00F813C6,00000000,00000000,00000000,?,00FB328B,00000006,FlsSetValue,01022290,FlsSetValue,00000000), ref: 00FB30BF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7e6067ad7a07cfffeb373a120307396f23024f4475d7caeeb0f501000aaf1597
Instruction ID: a9734c94517b7746bf612dbaf0cad498c93f08682b479d890e8bbb22d077d409
Opcode Fuzzy Hash: 7e6067ad7a07cfffeb373a120307396f23024f4475d7caeeb0f501000aaf1597
Instruction Fuzzy Hash: 5601FC36BC5332ABD731597A9C44AD77798AF057F5B200620F945D3144C72AD901DBD0

Function 00FE7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00FE747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FE7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FE74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FE74CA

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 5b1711e8adc9b972e1dea17b64098d96f8c216cf91861dcb26e8afce344517c7
Instruction ID: 3e6d2c4454bab136ce0a3add818a3a3379a0887d285b36bf87f22dd3c9b8fe8b
Opcode Fuzzy Hash: 5b1711e8adc9b972e1dea17b64098d96f8c216cf91861dcb26e8afce344517c7
Instruction Fuzzy Hash: 46118EB5249394DBF730EF15DD08B927BFCEB00B00F108569A656D61C1D775E904EB50

Function 00FEB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FEACD3,?,00008000), ref: 00FEB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FEACD3,?,00008000), ref: 00FEB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FEACD3,?,00008000), ref: 00FEB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FEACD3,?,00008000), ref: 00FEB126

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 3a114f7c5349322e018c459628537350dc6045676dc0e3f77a0596fc1643bc02
Instruction ID: 52b6835da0aa0c026466800c95761d02895c92d6307e2e8ce6e0ea78408434ee
Opcode Fuzzy Hash: 3a114f7c5349322e018c459628537350dc6045676dc0e3f77a0596fc1643bc02
Instruction Fuzzy Hash: 3D115E31C4165CE7DF10AFE5E9987EFBB78FF4A721F104086D981B2184CB389550AB51

Function 01017E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01017E33
ScreenToClient.USER32(?,?), ref: 01017E4B
ScreenToClient.USER32(?,?), ref: 01017E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01017E8A

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ebb288f86585274e56c4d483dfcf1843a6fe14dd10a5f86023e08a103d9e423b
Instruction ID: d7af0d691c6405a32965b670a0283985ec680e1e3052fece4fde87f486a32a42
Opcode Fuzzy Hash: ebb288f86585274e56c4d483dfcf1843a6fe14dd10a5f86023e08a103d9e423b
Instruction Fuzzy Hash: 0C1153B9D0020AAFDB51CF98C584AEEBBF9FF08310F509066E955E3214D779AA54CF90

Function 00FE2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FE2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE2DD6
GetCurrentThreadId.KERNEL32 ref: 00FE2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FE2DE4

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c9ebf6ec3a6ee00c37b9e33eb5873c1619758fd7c8675270cb8c03f307680446
Instruction ID: 899fea33c0f44e2329e5e30854b5ff4c90cee312578177f5e36eb2cdb5d55f99
Opcode Fuzzy Hash: c9ebf6ec3a6ee00c37b9e33eb5873c1619758fd7c8675270cb8c03f307680446
Instruction Fuzzy Hash: 86E06D729812247AE7301A639D0DFEB3E6CEB46BA1F000515B205D1084EAAAD840D7B0

Function 01018863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F99693
Part of subcall function 00F99639: SelectObject.GDI32(?,00000000), ref: 00F996A2
Part of subcall function 00F99639: BeginPath.GDI32(?), ref: 00F996B9
Part of subcall function 00F99639: SelectObject.GDI32(?,00000000), ref: 00F996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01018887
LineTo.GDI32(?,?,?), ref: 01018894
EndPath.GDI32(?), ref: 010188A4
StrokePath.GDI32(?), ref: 010188B2

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 94f38e2817a81f6839959b015ca6a213cb2f334066cb6a7fd91d4a990d8e0987
Instruction ID: e4c7d0480c5fd4d284085761237ec9fb6ae98d6465f52233ffe2b64a4064c71e
Opcode Fuzzy Hash: 94f38e2817a81f6839959b015ca6a213cb2f334066cb6a7fd91d4a990d8e0987
Instruction Fuzzy Hash: 72F03A36085258BAEB225E98AD0AFCA3F69AF06310F048141FA91650D5C7BE9211DBE9

Function 00F998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F998CC
SetTextColor.GDI32(?,?), ref: 00F998D6
SetBkMode.GDI32(?,00000001), ref: 00F998E9
GetStockObject.GDI32(00000005), ref: 00F998F1

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4d0f3b104c53bb2ad97f6b9ac12c4199571cf8b4af212c633f13c71f5cfc6241
Instruction ID: 83da76b08a5570c368c2663fbdba2e9c4f54652b986879dbd7c2c78d3fba7ae7
Opcode Fuzzy Hash: 4d0f3b104c53bb2ad97f6b9ac12c4199571cf8b4af212c633f13c71f5cfc6241
Instruction Fuzzy Hash: 7FE065316C4280AAEB315B74B909BD83F11AB12335F18821AF6F5580D4C37A86409B11

Function 00FE162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FE1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FE11D9), ref: 00FE163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FE11D9), ref: 00FE1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FE11D9), ref: 00FE164F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 188e1bca3794f324cb756bec0ed5071c9f3f61b7c07f7afef58fa068bc9a9991
Instruction ID: a8881e6bab4ef774b2bfcb96dbc7e7015b4cecba2c8ec1e70a2326b726355abe
Opcode Fuzzy Hash: 188e1bca3794f324cb756bec0ed5071c9f3f61b7c07f7afef58fa068bc9a9991
Instruction Fuzzy Hash: A5E08631A41211ABE7301FA29F0DB863B7CBF457A1F144808F285C9084D63DC540C750

Function 00FDD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FDD858
GetDC.USER32(00000000), ref: 00FDD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FDD882
ReleaseDC.USER32(?), ref: 00FDD8A3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 87b858ad5f86962938d475e031a34a6ef59be52bd4cbcf7e4afcaf8efe47640f
Instruction ID: 30c12e56c298e8e524cd14fb1f497b515445592817e93a405c24ada1227fe1d5
Opcode Fuzzy Hash: 87b858ad5f86962938d475e031a34a6ef59be52bd4cbcf7e4afcaf8efe47640f
Instruction Fuzzy Hash: 30E09AB5840205EFEF61AFE0D60866DBBB6FB08311F249459F98AE7244C73D9941AF50

Function 00FDD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FDD86C
GetDC.USER32(00000000), ref: 00FDD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FDD882
ReleaseDC.USER32(?), ref: 00FDD8A3

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0206d9c6c8dc10170b5d6e3b74a4dc91d9ba230bb7081064b3fb7754a2c3eb08
Instruction ID: 6b4b45f5203e5de42b9201613220ecae58db3afaa4afcaaab33a2fba054e76fe
Opcode Fuzzy Hash: 0206d9c6c8dc10170b5d6e3b74a4dc91d9ba230bb7081064b3fb7754a2c3eb08
Instruction Fuzzy Hash: 77E09A75C40204DFEF61AFA0D50866DBBB5BB08311B149449F98AE7244C73DA901AF50

Function 00FF4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F87620: _wcslen.LIBCMT ref: 00F87625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FF4ED4

Strings

*, xrefs: 00FF4E10
LPT, xrefs: 00FF4DFB

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d94d7126514f5317c02ed57b753b64f247cfcb12e75b1f0f18c723b7956303ce
Instruction ID: d87c3d101ca8eaf5b1002017be61cdf7f7209bc8995414c5716f0f616ad79fc3
Opcode Fuzzy Hash: d94d7126514f5317c02ed57b753b64f247cfcb12e75b1f0f18c723b7956303ce
Instruction Fuzzy Hash: 06917F75A002089FDB14DF58C884EBABBF1BF45314F188099E94A9F3A2D735ED85DB90

Function 00FAE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FAE30D

Strings

pow, xrefs: 00FAE2E5, 00FAE302

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1c81c14854593933f1ff5f67e09e20ac7a78b525537c82e095600919b075d42f
Instruction ID: 6087ca9f03cd87513822dd25927c845488a11467480c2664b150bdeee4576946
Opcode Fuzzy Hash: 1c81c14854593933f1ff5f67e09e20ac7a78b525537c82e095600919b075d42f
Instruction Fuzzy Hash: 67513CB1E0C30296CB257A15CD017FA3F989F917A0F3449A8E4D54229DEB398C95BF46

Function 00F9E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F9E1B1

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d41c995dd2d62313cc3a69f1d8bfdba820337f4e3207b8deeea7d2db48803105
Instruction ID: 2b00bc8339b8dac8ff56d7015bbd709b79d4fe519482140a4071289f8f844a9d
Opcode Fuzzy Hash: d41c995dd2d62313cc3a69f1d8bfdba820337f4e3207b8deeea7d2db48803105
Instruction Fuzzy Hash: 3B510475D04246DFEF19EF24C4816FA7BAAEF55320F284056ECA19F2D0D6389D42EB50

Function 00F9F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F9F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F9F2BB

Strings

@, xrefs: 00F9F2AF

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d0beaae2e4fb395e04dc69b03aaf3bfe15c1196438a03a5919aeaa99a23e47b4
Instruction ID: 55de63d69b614b1617bc246e4d6a4f332db285cb990158f4210764d3bdcb9905
Opcode Fuzzy Hash: d0beaae2e4fb395e04dc69b03aaf3bfe15c1196438a03a5919aeaa99a23e47b4
Instruction Fuzzy Hash: 375155714087449BE320BF10EC86BABBBF8FF84304F91884DF2D942195EB758529CB66

Function 01005745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010057E0
_wcslen.LIBCMT ref: 010057EC

Strings

CALLARGARRAY, xrefs: 010057E6, 010057EB

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 70f463a6dc233a87460caa9cd8cd8b9d7be18e08dd0658e5972081ae2a227984
Instruction ID: d455229cc89a2bad135cac22dae38454213d9608564c781ae174aa5473bee450
Opcode Fuzzy Hash: 70f463a6dc233a87460caa9cd8cd8b9d7be18e08dd0658e5972081ae2a227984
Instruction Fuzzy Hash: 38418F71A002099FDB15EFA9CC859BEBBF5FF49310F244069E945A7292E734DA81CF90

Function 00FFD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FFD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FFD13A

Strings

|, xrefs: 00FFD10B

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a21125140564e94a542e26c20a9eff51999de1e284b77785375397f77bd12041
Instruction ID: b050863b847a42075df5c20a46a50e9262f38cbe52b3b4c9bf32ca2c1dea9e24
Opcode Fuzzy Hash: a21125140564e94a542e26c20a9eff51999de1e284b77785375397f77bd12041
Instruction Fuzzy Hash: F7314D71D00209ABDF15EFA4CC85EEEBFBAFF05310F100019F915A6166E735AA16EB64

Function 0101356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01013621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0101365C

Strings

static, xrefs: 010135BC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5627fc2c4287f2ea1c70c4a09547773abda8117cfff57c1f1fd6cf7e794bd120
Instruction ID: 3fa922f74bc30bb82629d464fc4363954139879d279215f716309ee74e2e05ee
Opcode Fuzzy Hash: 5627fc2c4287f2ea1c70c4a09547773abda8117cfff57c1f1fd6cf7e794bd120
Instruction Fuzzy Hash: A6319071100204AEEB219F28DC80EFB73A9FF48764F008619F9A5D7284DA39E891D760

Function 01014537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0101461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01014634

Strings

', xrefs: 0101458E

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 7c866652bc5f17122072f9a8cac4479b122628ce6f5e347891ab0cdcb9369af9
Instruction ID: 12bc9e71bfe5c1951f707c8f292749282640d9102948b2c47fe61ac01e2dac55
Opcode Fuzzy Hash: 7c866652bc5f17122072f9a8cac4479b122628ce6f5e347891ab0cdcb9369af9
Instruction Fuzzy Hash: 0D313674A0020AAFDB14CFA9C980BDA7BF5FB08304F14446AEA44EB356D775A901CF90

Function 010131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0101327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01013287

Strings

Combobox, xrefs: 01013249

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 066544093de1fac8b66dec529c8236d9235e8b8952f57ad616b47431b0af4efb
Instruction ID: 45825b6d209269330e483828ff5dd467a35b688b2b9c90a6805de35a366ce26f
Opcode Fuzzy Hash: 066544093de1fac8b66dec529c8236d9235e8b8952f57ad616b47431b0af4efb
Instruction Fuzzy Hash: 7F1193713002086FFF66AE58DC80EFB379AFB48364F104125F9549B295D6399C51C760

Function 01013710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F8604C
Part of subcall function 00F8600E: GetStockObject.GDI32(00000011), ref: 00F86060
Part of subcall function 00F8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F8606A

GetWindowRect.USER32(00000000,?), ref: 0101377A
GetSysColor.USER32(00000012), ref: 01013794

Strings

static, xrefs: 01013757

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 82e1cbcdcd4fa2f0ff9c34133081d3c234b6250698b6a7f34d36dfc57e7a5519
Instruction ID: 807a368f42efb3ba1c3d83e0dc87761fbcc774005998194de07b8da9793319fc
Opcode Fuzzy Hash: 82e1cbcdcd4fa2f0ff9c34133081d3c234b6250698b6a7f34d36dfc57e7a5519
Instruction Fuzzy Hash: 8511267261020AAFEF11DFA8CC45AEA7BF8FB08314F004919F995E6244E739E8509B60

Function 00FFCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FFCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FFCDA6

Strings

<local>, xrefs: 00FFCD66

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 2be19759068d84af4ba3536f5e9c6ce0cd7121d0ceb854aab8d14df6cf39a7fc
Instruction ID: b7af80d14397e94c04ab478398477666d7b9836d99a5ac659fda91b646ea091b
Opcode Fuzzy Hash: 2be19759068d84af4ba3536f5e9c6ce0cd7121d0ceb854aab8d14df6cf39a7fc
Instruction Fuzzy Hash: 3311E37260163DBAD7344A668D44FFFBEA8EF127B4F00422AB26993090D2759840E6F0

Function 01013429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010134BA

Strings

edit, xrefs: 0101348F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 4ed298f10e15dcedeb4c54ebc9b59352eb893863ad3333df4305f4ce959f4ed8
Instruction ID: 61068143d4d21f1175d2cbbf6b9a6f6266f9b7920000a2a4437338c0fea2e53c
Opcode Fuzzy Hash: 4ed298f10e15dcedeb4c54ebc9b59352eb893863ad3333df4305f4ce959f4ed8
Instruction Fuzzy Hash: 0811BF75140208AFEF628E68DC44AFB37AAFB05374F504324FAA19B1D8CB39EC519750

Function 00FE6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

CharUpperBuffW.USER32(?,?,?), ref: 00FE6CB6
_wcslen.LIBCMT ref: 00FE6CC2

Strings

STOP, xrefs: 00FE6CBC, 00FE6CC1

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ea532bf36f2af582a215b8f7a2a71e8428b48169486b4a7ff0ad58ffb7274a28
Instruction ID: 83c7809fa62554614d7243716b280e24557fe5100a15e56427ddd02a90ea4ee1
Opcode Fuzzy Hash: ea532bf36f2af582a215b8f7a2a71e8428b48169486b4a7ff0ad58ffb7274a28
Instruction Fuzzy Hash: 62010432A0056B8BCB20AEBECC809BF73A6FA757A07500939E852D2181EB35D800E750

Function 00FE1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FE1D4C

Strings

ListBox, xrefs: 00FE1D16
ComboBox, xrefs: 00FE1CEB

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 87e1334a3f83a435735c038cbc87c80df1f8af2fb2176c4f41395b52474e97d9
Instruction ID: fbcde08b223ee5afc1b6b10da1038c185832455885a2c175ea4f9a7569c0a3c2
Opcode Fuzzy Hash: 87e1334a3f83a435735c038cbc87c80df1f8af2fb2176c4f41395b52474e97d9
Instruction Fuzzy Hash: 53014C71B01219ABCB14FBA6CC55DFE73A8FF06360B140519F872673C1EA759908A760

Function 00FE1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FE1C46

Strings

ListBox, xrefs: 00FE1C10
ComboBox, xrefs: 00FE1BE5

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9fef2616f5c53b79e67c001643a13899228e60fea116ce72de251dbfa9e7a216
Instruction ID: 598e772f8f6d6a4df5780e2b96174cc2e19380ca7d22c7a1a94f437413ffe2a4
Opcode Fuzzy Hash: 9fef2616f5c53b79e67c001643a13899228e60fea116ce72de251dbfa9e7a216
Instruction Fuzzy Hash: A901F771B811456BCB04FB96CE55EFF73A8AB12340F240029B406B7281EA799E08A7B1

Function 00FE1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FE1CC8

Strings

ListBox, xrefs: 00FE1C94
ComboBox, xrefs: 00FE1C69

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 91250d706b6938b5d86958e4cccf8fdcb994ff323d5c914c5dddec69094394b9
Instruction ID: 5e6be0ed9a8074c78110d48cc0e4c0c23dacdf76cf1f5e38eb2d0e6117bd1ed3
Opcode Fuzzy Hash: 91250d706b6938b5d86958e4cccf8fdcb994ff323d5c914c5dddec69094394b9
Instruction Fuzzy Hash: AB01DBB1B8115967CB14F79BCE45AFF73E8AB11340F640015B842B7281EA759F08E771

Function 00FE1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89CB3: _wcslen.LIBCMT ref: 00F89CBD

Part of subcall function 00FE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FE3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00FE1DD3

Strings

ListBox, xrefs: 00FE1DA0
ComboBox, xrefs: 00FE1D75

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6b60b7af02545df54e9eb4b7cba22f899dcd45380985b106f5dd03415e4367de
Instruction ID: ad7f560c11ba7d88ddbcd529a41cd9c7660722c127538fecb597e92ea679d505
Opcode Fuzzy Hash: 6b60b7af02545df54e9eb4b7cba22f899dcd45380985b106f5dd03415e4367de
Instruction Fuzzy Hash: 17F0F971B4121967D714F7A6CC55BFF73A8BB02350F480919B462672C1EA759908A760

Function 0100747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01007493
_wcslen.LIBCMT ref: 010074B9

Strings

3, 3, 16, 1, xrefs: 01007483

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bbe4ad61aae27ef4fc9d11ebf2aa711217e6cb9cc269a02438d2eef2cc615ff3
Instruction ID: 48c0adcd88e427ce8cc2ce670209b61b4a437b59b7d30eaf8e5caf07292383ed
Opcode Fuzzy Hash: bbe4ad61aae27ef4fc9d11ebf2aa711217e6cb9cc269a02438d2eef2cc615ff3
Instruction Fuzzy Hash: BDE02341201250106273127D9CC157F76CDCFCA550B11142BF5C1C1196DFDCEDA153A0

Function 00FE0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FE0B23

Strings

Error allocating memory., xrefs: 00FE0B1C
AutoIt, xrefs: 00FE0B17

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 3a346e29d21b36c5d0c89549620d677fd16ce92ad5db88fa0bfae1e69b8dca6e
Instruction ID: ce5acfd8e229a152f1f0d68ee5084d6ba2f77b9a95d96fa4ab87255f76a799e9
Opcode Fuzzy Hash: 3a346e29d21b36c5d0c89549620d677fd16ce92ad5db88fa0bfae1e69b8dca6e
Instruction Fuzzy Hash: B1E0D83128430837E12436557D43F897A859F06F20F10042AF7D4D94C38EDA689022E9

Function 00FA0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F9F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FA0D71,?,?,?,00F8100A), ref: 00F9F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00F8100A), ref: 00FA0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F8100A), ref: 00FA0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FA0D7F

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a0d93d680cbf70060637361140bfcb4489e04f3ff23bb60e07c0ca9aafaef80d
Instruction ID: 6ca1566a4a0af397955617625d061f0e77da6db0c706320868718139926ea5ed
Opcode Fuzzy Hash: a0d93d680cbf70060637361140bfcb4489e04f3ff23bb60e07c0ca9aafaef80d
Instruction Fuzzy Hash: A1E06DB42007018BE7709FB9E5087827BE0AB01B44F00892DE4C6C664ADFBDE4489B91

Function 00FF3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FF302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FF3044

Strings

aut, xrefs: 00FF3038

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c71c915efa12b12f33aa31c8634dbec17fbf9ad74f2ac9e52f706376e1dfc14f
Instruction ID: 1371b06bb7edb29fd39a2945e6834b30491e440fe695bc8c0cc54f9c4ef3c77f
Opcode Fuzzy Hash: c71c915efa12b12f33aa31c8634dbec17fbf9ad74f2ac9e52f706376e1dfc14f
Instruction Fuzzy Hash: 7AD05EB254032867EA30A6A5AD4EFCB3A6CDB05650F0002A1B699D6085EAF9D984CBD0

Function 00FDD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FDD220

Strings

%.3d, xrefs: 00FDD22B
X64, xrefs: 00FDD2A8

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 1d753c60d717f57a2a47be2e4f49bb01a4c03068c04574788a5ce5dcaa463894
Instruction ID: 53b939b9acc4ea96137d4ec45c7664588f99232dc650c78a82f48d362684dd4b
Opcode Fuzzy Hash: 1d753c60d717f57a2a47be2e4f49bb01a4c03068c04574788a5ce5dcaa463894
Instruction Fuzzy Hash: 91D012F2844109EADF509AD0CC45AF9B37DAB18342F648463F946D1100D628C5087761

Function 01012322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0101232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0101233F

Part of subcall function 00FEE97B: Sleep.KERNEL32 ref: 00FEE9F3

Strings

Shell_TrayWnd, xrefs: 01012325

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 524e5be799054a2ed1b6b993e1e36157b68146397ea633ac93642f694139d8f5
Instruction ID: ae5cd90ef240548137e7dd4677aec76cc3ad977bd6610e4e2305cac113cb3ecb
Opcode Fuzzy Hash: 524e5be799054a2ed1b6b993e1e36157b68146397ea633ac93642f694139d8f5
Instruction Fuzzy Hash: 52D0A9323C0300BBE274A271EC0FFCABA04AB00B00F0009167685AA1C8E8B9A840CB00

Function 01012356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0101236C
PostMessageW.USER32(00000000), ref: 01012373

Part of subcall function 00FEE97B: Sleep.KERNEL32 ref: 00FEE9F3

Strings

Shell_TrayWnd, xrefs: 01012365

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ac7ac07583f8d5404959ec9e669b1f3bd1fc876badfb26bebaf8fb2bdc437198
Instruction ID: a8d2ad984a93164ed672d201c77713681b3dd222f8011371a6a44e29a77517cb
Opcode Fuzzy Hash: ac7ac07583f8d5404959ec9e669b1f3bd1fc876badfb26bebaf8fb2bdc437198
Instruction Fuzzy Hash: 3FD0A9323C13007BF274A271EC0FFCAB604AB04B00F0009167681AA1C8E8B9A840CB04

Function 00FBBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00FBBE93
GetLastError.KERNEL32 ref: 00FBBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FBBEFC

Memory Dump Source

Source File: 00000000.00000002.2113581389.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2113551351.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114036294.0000000001042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114230744.000000000104C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114272128.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 41f46096da11a8d5308cc1aafce625fb386628107891241e3ed4241d0d946e9e
Instruction ID: c6d0c852dcd01fb1f0ba13dbafc61a5481f5926d0e71ab6e2c63e878a3eee0b2
Opcode Fuzzy Hash: 41f46096da11a8d5308cc1aafce625fb386628107891241e3ed4241d0d946e9e
Instruction Fuzzy Hash: C841D435A04206AFDF218FE6CC44BFA7BA5EF42320F144169F9599B1A1DBB18D01EF60

Analysis Process: firefox.exePID: 7288, Parent PID: 760COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000028D3EE19177 Relevance: 8.3, APIs: 1, Instructions: 6848nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000028D3EE1919C

Memory Dump Source

Source File: 00000011.00000002.3315018822.0000028D3EE15000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000028D3EE15000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_28d3ee15000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 7d855dfef058891d6d0f13281f0639ac0c732643bbd828a8aceaae6a46d64bc4
Instruction ID: ee6ab660c3324f36135f645350a5d9b6786ecd702721c2a8ae5243c79c58b173
Opcode Fuzzy Hash: 7d855dfef058891d6d0f13281f0639ac0c732643bbd828a8aceaae6a46d64bc4
Instruction Fuzzy Hash: DBA3D531614A588BDB2DDF28DC857A973E5FB55300F04826ED94BD3691DF30EA86CB82

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000C.00000002.2080873146.00000241A54A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000002.2087572903.000001FF65B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2195032345.000001AFC6F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225144423.000001AFC6F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193830188.000001AFC6E4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2137668014.000001AFC7AF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2248662845.000001AFD1B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2286373281.000001AFD1B0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2250781742.000001AFC9D25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272595762.000001AFC9D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8:https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281400144.000001AFCE922000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124891360.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287327381.000001AFCE944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2124891360.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245382791.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278119050.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2124891360.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250781742.000001AFC9D25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245382791.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2248881946.000001AFCEAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136857182.000001AFCEAC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2248662845.000001AFD1B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287572700.000001AFCE69E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2283828667.000001AFC82DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289341381.000001AFCC3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281781834.000001AFCC383000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281781834.000001AFCC3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8~predictor-origin,:https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2250781742.000001AFC9D25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272595762.000001AFC9D25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: :https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2304048305.000001AFC5B04000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301250345.000001AFC5B04000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301917157.000001AFC5B04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3310912791.000001C35B740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows&s]v equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3307091515.0000028D3E9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsl equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3308721217.0000022B5BA54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3309102074.000001C35B6A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsc equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3315569025.0000028D3EE94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows~ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000002.2080873146.00000241A54A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000002.2087572903.000001FF65B07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking--attempting-deelevation[ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000002.2080873146.00000241A54A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\Desktop\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000002.2087572903.000001FF65B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\DefaultY equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3307091515.0000028D3E9AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/video - equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3309102074.000001C35B6A4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309102074.000001C35B6A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3310912791.000001C35B740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3308025744.0000022B5B9C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videob equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2138223866.000001AFC78F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: WindowGlobalParent.getActor: Window protocol 'Translations' doesn't match uri about:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2123183319.000001AFCE922000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127486683.000001AFCE949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269166810.000001AFCE94A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2123183319.000001AFCE922000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127486683.000001AFCE949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269166810.000001AFCE94A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2138134784.000001AFC7AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2138593033.000001AFC75BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: about:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: file.exe, 00000000.00000003.2079388830.0000000000A94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: e" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCEf equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2138593033.000001AFC75BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2281400144.000001AFCE922000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124891360.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252087387.000001AFC8BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2124891360.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245382791.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278119050.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2124891360.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250781742.000001AFC9D25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245382791.000001AFC7F13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: file.exe, 00000000.00000002.2114310099.0000000001218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/videon;C}. equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2136857182.000001AFCEAB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248881946.000001AFCEAB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280879076.000001AFCEAB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2248881946.000001AFCEAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136857182.000001AFCEAC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3311307595.0000022B5BD0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3311307595.0000022B5BD0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3311307595.0000022B5BD0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3310345238.0000028D3ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311307595.0000022B5BD0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3310345238.0000028D3ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311307595.0000022B5BD0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2291040069.000001AFC898D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3310345238.0000028D3ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3311307595.0000022B5BD0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2264474140.000001AFC5AAA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263290186.000001AFC5AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ngsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000003.2080537440.00000241A54BD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.2080873146.00000241A54C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: osk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3308721217.0000022B5BA50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTAR equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3315569025.0000028D3EE90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTARn equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3309102074.000001C35B6A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTARs equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000003.2080537440.00000241A54BD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.2080873146.00000241A54C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s--kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationUser equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2136857182.000001AFCEAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: s://www.facebook.com/videob equals www.facebook.com (Facebook)
Source: recovery.jsonlz4.tmp.14.dr	String found in binary or memory: url":"https://www.facebook.com/video","title) equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2248662845.000001AFD1B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252087387.000001AFC8BA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281574641.000001AFCE36B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2136857182.000001AFCEAF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2300326193.000001AFC5AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comLMEM(x equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2301917157.000001AFC5AD4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303299893.000001AFC5AD4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301250345.000001AFC5AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2273810334.000001AFD2066000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2283828667.000001AFC8294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2138134784.000001AFC7AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2138593033.000001AFC75BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xabout:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2138593033.000001AFC75BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xe=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2138593033.000001AFC75BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2136857182.000001AFCEAB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248881946.000001AFCEAB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280879076.000001AFCEAB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.facebook.com^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2289341381.000001AFCC3C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281781834.000001AFCC383000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281781834.000001AFCC3C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ~predictor-origin,:https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:57997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.5:58000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:57998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:58008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:58007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:58010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:58009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:58166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:58167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:58173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:58174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:58175 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 57999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58018
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58193
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 57997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 58001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 58007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58009
Source: unknown	Network traffic detected: HTTP traffic on port 58166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58008
Source: unknown	Network traffic detected: HTTP traffic on port 58018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58129
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58174
Source: unknown	Network traffic detected: HTTP traffic on port 58000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58173
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cd829015-d6a8-4cf4-b990-05013b599a5e.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cd829015-d6a8-4cf4-b990-05013b599a5e.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre