Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546471
MD5:	cd6ad64420e0649dd184452ac6482a48
SHA1:	74074b5f08137389c4a709cbdff7a041a76d19cc
SHA256:	9117394486ae8f394f5cedd8280ac81d48d51edfdc4ebf9b131a10894d51235e
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 1520 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CD6AD64420E0649DD184452AC6482A48)

taskkill.exe (PID: 7136 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3788 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3552 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4308 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5440 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 4120 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1276 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5596 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7136 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e019a9e-297d-4b03-a3f4-7a05c5c32139} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e35b70d10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7652 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -parentBuildID 20230927232528 -prefsHandle 4432 -prefMapHandle 4104 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ea5418a-e122-4d93-817d-b1dda58037c9} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e4623bf10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8160 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 5036 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1df9b93-63d8-44e4-9c27-9beffae50cd4} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e4f23bf10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 1520	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T00:13:13.877669+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49736	TCP
2024-11-01T00:13:52.751023+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49965	TCP

Code function: 0_2_0071EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0071EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0071ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0071EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0070AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0070AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00739576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00739576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b49f6e8d-d
Source: file.exe, 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_72804167-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2257ed5c-d
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_289f44ed-0

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002074B0D5977 NtQuerySystemInformation,		17_2_000002074B0D5977
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002074B0F94F2 NtQuerySystemInformation,		17_2_000002074B0F94F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0070D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0070D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00701201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00701201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0070E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0070E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006ABF40	0_2_006ABF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A8060	0_2_006A8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00712046	0_2_00712046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00708298	0_2_00708298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DE4FF	0_2_006DE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D676B	0_2_006D676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00734873	0_2_00734873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006ACAF0	0_2_006ACAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CCAA0	0_2_006CCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006BCC39	0_2_006BCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D6DD9	0_2_006D6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006BD07D	0_2_006BD07D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006BB119	0_2_006BB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A91C0	0_2_006A91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C1394	0_2_006C1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C1706	0_2_006C1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C781B	0_2_006C781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B997D	0_2_006B997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A7920	0_2_006A7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C19B0	0_2_006C19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C7A4A	0_2_006C7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C1C77	0_2_006C1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C7CA7	0_2_006C7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072BE44	0_2_0072BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D9EEE	0_2_006D9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C1F32	0_2_006C1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002074B0D5977	17_2_000002074B0D5977
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002074B0F94F2	17_2_000002074B0F94F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002074B0F9532	17_2_000002074B0F9532
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002074B0F9C1C	17_2_000002074B0F9C1C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006A9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006BF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006C0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007137B5 GetLastError,FormatMessageW,

0_2_007137B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010BF AdjustTokenPrivileges,CloseHandle,		0_2_007010BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007016C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007151CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0070D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0070D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0071648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006A42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files\Mozilla Firefox\firefox.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2200255730.0000017E4F329000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2207874511.0000017E49A24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209490826.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176851210.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176244136.0000017E4F329000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2209914103.0000017E4DDE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177051042.0000017E4DDE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202295478.0000017E4DDE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2113690417.0000017E4DDE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2235823336.0000017E4DDE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE moz_places SET foreign_count = foreign_count - 1 WHERE id = OLD.place_id;
Source: firefox.exe, 0000000E.00000003.2209490826.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176851210.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2209490826.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176851210.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2209490826.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176851210.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2199923536.0000017E4F371000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176244136.0000017E4F371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2209490826.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176851210.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2209490826.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176851210.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2209490826.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176851210.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2209490826.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176851210.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2209490826.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176851210.0000017E4F2F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e019a9e-297d-4b03-a3f4-7a05c5c32139} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e35b70d10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -parentBuildID 20230927232528 -prefsHandle 4432 -prefMapHandle 4104 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ea5418a-e122-4d93-817d-b1dda58037c9} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e4623bf10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 5036 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1df9b93-63d8-44e4-9c27-9beffae50cd4} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e4f23bf10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e019a9e-297d-4b03-a3f4-7a05c5c32139} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e35b70d10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -parentBuildID 20230927232528 -prefsHandle 4432 -prefMapHandle 4104 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ea5418a-e122-4d93-817d-b1dda58037c9} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e4623bf10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 5036 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1df9b93-63d8-44e4-9c27-9beffae50cd4} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e4f23bf10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2158163939.0000017E49B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2165416625.0000017E45899000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2158163939.0000017E49B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2165416625.0000017E45899000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006A42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006AA40E push 00000000h; retf		0_2_006AA444
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C0A76 push ecx; ret		0_2_006C0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006BF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00731C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96248

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002074B0D5977 rdtsc

17_2_000002074B0D5977

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Users\user\Desktop\file.exe TID: 6644	Thread sleep count: 105 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6644	Thread sleep count: 128 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0070DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DC2A2 FindFirstFileExW,	0_2_006DC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007168EE FindFirstFileW,FindClose,	0_2_007168EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0071698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0070D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0070D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00719642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00719642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0071979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00719B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00719B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00715C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00715C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006A42DE

Source: firefox.exe, 00000011.00000002.3295174039.000002074B630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: firefox.exe, 00000011.00000002.3295174039.000002074B630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: firefox.exe, 00000011.00000002.3295174039.000002074B620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6634-1003_Classes
Source: firefox.exe, 00000010.00000002.3295496805.000001F9FA300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlliv]
Source: firefox.exe, 00000010.00000002.3290771220.000001F9F9D7A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3290314567.000002074ACBA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3294580018.0000019A7C470000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3291031365.0000019A7C1CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3294795351.000001F9FA218000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3295496805.000001F9FA300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmxY
Source: firefox.exe, 00000010.00000002.3295496805.000001F9FA300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002074B0D5977 rdtsc

17_2_000002074B0D5977

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071EAA2 BlockInput,

0_2_0071EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006D2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006A42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C4CE8 mov eax, dword ptr fs:[00000030h]

0_2_006C4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00700B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00700B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006D2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006C083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C09D5 SetUnhandledExceptionFilter,	0_2_006C09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006C0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00701201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006E2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0070B226 SendInput,keybd_event,

0_2_0070B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007222DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00700B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00701663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00701663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C0698 cpuid

0_2_006C0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00718195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00718195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006FD27A GetUserNameW,

0_2_006FD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_006DB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006A42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1520, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1520, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00721204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00721204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00721806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00721806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://profiler.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggestabout	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.252.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.1.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.185.238	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.206	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.65.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3291450947.0000019A7C3C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2280856313.0000017E4DAF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.digiw	firefox.exe, 0000000E.00000003.2159211357.0000017E45875000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160190519.0000017E45875000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158236916.0000017E45875000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160896728.0000017E45875000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160486077.0000017E45875000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2200498815.0000017E4EC3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218194198.0000017E4EC3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2147281775.0000017E4EA94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2185597100.0000017E4D93D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3291584505.000001F9FA0E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3292411590.000002074B1E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3294945490.0000019A7C603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3292411590.000002074B186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3291450947.0000019A7C38F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2114168598.0000017E4D847000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206906967.0000017E4D847000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219021226.0000017E4D852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2223369430.0000017E4DC39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2280307506.0000017E461D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2231746286.0000017E438E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2231463033.0000017E4507E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2232393690.0000017E4507E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2198253856.0000017E50E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2203878672.0000017E4DAD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2076886617.0000017E45A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077139027.0000017E45C38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2224506428.0000017E4718C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226688195.0000017E463F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218258538.0000017E4E3C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2201477064.0000017E4E3C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115386499.0000017E475B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259701777.0000017E47144000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2176851210.0000017E4F2A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2235225088.0000017E4F2C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2101980644.0000017E483F0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnoredA	firefox.exe, 0000000E.00000003.2233456589.0000017E4F6D7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2177051042.0000017E4DD7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077139027.0000017E45C38000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2232393690.0000017E4507E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2208086785.0000017E49364000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2077358766.0000017E45C6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077007729.0000017E45C1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077257676.0000017E45C53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2076886617.0000017E45A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077139027.0000017E45C38000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2242476965.0000017E48730000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2203268237.0000017E4DD3D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2114168598.0000017E4D847000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206906967.0000017E4D847000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219021226.0000017E4D852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2235385769.0000017E4F24D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.li	firefox.exe, 0000000E.00000003.2118230479.0000017E47632000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2205073432.0000017E4D8F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223369430.0000017E4DC39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2231218441.0000017E450F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2175453462.0000017E50E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2198253856.0000017E50E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2233456589.0000017E4F6D7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2184123966.0000017E4561D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192534232.0000017E4563B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2203268237.0000017E4DD3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3292411590.000002074B103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3291450947.0000019A7C30C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2147613742.0000017E42D1B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2282920564.0000017E4651F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2223369430.0000017E4DC39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2235385769.0000017E4F24D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3291450947.0000019A7C3C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2230344879.0000017E45A93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238574871.0000017E4D777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2145994411.0000017E4EA7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2147613742.0000017E42D1B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2119004238.0000017E476E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2278305520.0000017E4ECED000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2224506428.0000017E4718C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208086785.0000017E49387000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2239411920.0000017E49389000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219731826.0000017E49387000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115386499.0000017E475B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2232092713.0000017E4E9A3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2225230226.0000017E4677A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3291584505.000001F9FA0E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3292411590.000002074B1E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3294945490.0000019A7C603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3291584505.000001F9FA0E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3292411590.000002074B1E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3294945490.0000019A7C603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2233456589.0000017E4F6D7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2280307506.0000017E461D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3292411590.000002074B112000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3291450947.0000019A7C313000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223369430.0000017E4DC39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3290768241.0000019A7C1B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2200498815.0000017E4EC9C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000012.00000002.3291450947.0000019A7C38F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2101980644.0000017E483F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2231218441.0000017E450C5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListenerUseOfReleaseEventsWarningUse	firefox.exe, 0000000E.00000003.2233456589.0000017E4F6D7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2189262435.0000017E453E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216363375.0000017E47D92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2118089706.0000017E476F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273718688.0000017E476F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2230142106.0000017E45FA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216011161.0000017E47D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2114168598.0000017E4D81F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211929307.0000017E49226000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2114168598.0000017E4D8D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2119004238.0000017E476E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280307506.0000017E461BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194966591.0000017E4EAAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2207668260.0000017E4D81F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257141609.0000017E482DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180089016.0000017E4762D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2205967846.0000017E4D8D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211989074.0000017E482DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2114168598.0000017E4D8AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216011161.0000017E47D4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2097036235.0000017E4D9C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2118230479.0000017E4761F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2208086785.0000017E49364000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.2177051042.0000017E4DD3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203268237.0000017E4DD3D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2208086785.0000017E49364000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/userw	firefox.exe, 00000012.00000002.3291450947.0000019A7C3F6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237553739.0000017E4D879000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2101331749.0000017E4D87D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2114168598.0000017E4D879000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2206723168.0000017E4D8AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2114168598.0000017E4D8AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2101331749.0000017E4D8AA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2206723168.0000017E4D8AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2114168598.0000017E4D8AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2101331749.0000017E4D8AA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2185597100.0000017E4D93D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2209914103.0000017E4DD6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202295478.0000017E4DD6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177051042.0000017E4DD6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2113690417.0000017E4DD6D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3294292278.000001F9FA140000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3291213663.000002074B040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3294692584.0000019A7C570000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2231218441.0000017E450C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.185.238	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546471
Start date and time:	2024-11-01 00:12:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@66/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 39 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.185.230.140, 52.11.191.138, 35.160.212.113, 142.250.186.78, 2.22.61.56, 2.22.61.59, 216.58.212.174, 142.250.185.234, 142.250.186.138
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 5596 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
19:13:05	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
twitter.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	file.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	Proposal From Wachler & Associates PC.pdf	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	151.101.65.229
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	151.101.66.137
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	34.160.236.64
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	34.160.236.64
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_df8b0b42-8c0b-490d-abf0-a82f16f60a0c.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.174974946159209
Encrypted:	false
SSDEEP:	192:axKMXkGZcbhbVbTbfbRbObtbyEl7nsr8JA6wnSrDtTkd/SZr:yPpcNhnzFSJMrPjnSrDhkd/Ir
MD5:	EF0688C36CBC38C9049C74F2BC7F18E7
SHA1:	7787EFF9C2FC28562E5E64E2550E41F0B43FF1EE
SHA-256:	05844331EFF99761169D949071B52C4AB2D82B5F7126C986CEC47945960BA403
SHA-512:	B161A38ACB5BB85611C5F40288A9656A3C8ACB25C6A368C9C6DDA546CADCAC4D8BB24FAE2A15B86950ED797BA90173B52DB52E660B43AFAF492FA76A06A9144C
Malicious:	false
Preview:	{"type":"uninstall","id":"df8b0b42-8c0b-490d-abf0-a82f16f60a0c","creationDate":"2024-11-01T00:24:34.871Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_df8b0b42-8c0b-490d-abf0-a82f16f60a0c.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.174974946159209
Encrypted:	false
SSDEEP:	192:axKMXkGZcbhbVbTbfbRbObtbyEl7nsr8JA6wnSrDtTkd/SZr:yPpcNhnzFSJMrPjnSrDhkd/Ir
MD5:	EF0688C36CBC38C9049C74F2BC7F18E7
SHA1:	7787EFF9C2FC28562E5E64E2550E41F0B43FF1EE
SHA-256:	05844331EFF99761169D949071B52C4AB2D82B5F7126C986CEC47945960BA403
SHA-512:	B161A38ACB5BB85611C5F40288A9656A3C8ACB25C6A368C9C6DDA546CADCAC4D8BB24FAE2A15B86950ED797BA90173B52DB52E660B43AFAF492FA76A06A9144C
Malicious:	false
Preview:	{"type":"uninstall","id":"df8b0b42-8c0b-490d-abf0-a82f16f60a0c","creationDate":"2024-11-01T00:24:34.871Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928169076512467
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNN39doou:8S+OVPUFRbOdwNIOdYpjvY1Q6LE3Ld8P
MD5:	4C4A53BBFFB4432BB36F164ED201EB72
SHA1:	CA5D90772806A6B36F396C5DBD1B17240B2B63D0
SHA-256:	14E9F4841870574DEA17B96457E8848BA2D83FBA163238DB3033BB7AFF0906BC
SHA-512:	F40992B06E39D75C157A03C9680DF61D3EEEBAE728387B0676698FAEB83EF7C97A43F95BAF3EA3CBDE99A50150BFD76B1710FAB6644E51C12E85EE6B7A4C4393
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928169076512467
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNN39doou:8S+OVPUFRbOdwNIOdYpjvY1Q6LE3Ld8P
MD5:	4C4A53BBFFB4432BB36F164ED201EB72
SHA1:	CA5D90772806A6B36F396C5DBD1B17240B2B63D0
SHA-256:	14E9F4841870574DEA17B96457E8848BA2D83FBA163238DB3033BB7AFF0906BC
SHA-512:	F40992B06E39D75C157A03C9680DF61D3EEEBAE728387B0676698FAEB83EF7C97A43F95BAF3EA3CBDE99A50150BFD76B1710FAB6644E51C12E85EE6B7A4C4393
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733666067446506
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	14B95206FA5B6BE4C3EA42F0B97B1C37
SHA1:	3AC46852BFCF7311E5E2E88BC6F7A0EAAF68388B
SHA-256:	80E0FAD20E61619D1A683439725F5C5E0440212DBD4CD99DF4FC49877A4BC65D
SHA-512:	5D81D10FFAB33F37F0ACC783FA7F19F6394790E3F0E8C04EDE0F740D099FADB72DAA2236CEB7B3AD7DA5692CA96765D39138EE42A175D7C4F87C07E20688DB6B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFey7K1CYpWHYlltlstFey7K1CYpOlD89//alEl:GtWtcyqbkHYlltWtcyqb8lD89XuM
MD5:	DC4F6C6C37F55804AA26F552C34FB526
SHA1:	49117839D1DEB5123400C33A6B141A52E9F8723B
SHA-256:	54B35F0346F96DC3EBFBB29FC8985212B300C311122EE962EE9B13C6A8990C56
SHA-512:	B08EB64D60948DC50C8A7289A0F6F5E96C3D4668F9BC55FBC0706644ADB6A3EA61269BCE030160E5A74312A56430FD97D00234B9E997BE21D29C96FD8D1B6B1A
Malicious:	false
Preview:	..-......................%.ah..a.8o./.i\|."..'=L...-......................%.ah..a.8o./.i\|."..'=L.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039920253262097694
Encrypted:	false
SSDEEP:	3:Ol16OKLeglg3+Ix6sET7tl8rEXsxdwhml8XW3R2:Ksl/lgZc7tl8dMhm93w
MD5:	25692E838CC999327A14CF4AE9470366
SHA1:	239E7C49BB8705C5479A38F0C017822A3A5666CF
SHA-256:	DEECF09BD45B65B2D0DE5263123214FE31D6FB79E2BFBCC6DCAB97C3D790D5A7
SHA-512:	B827454139E65E4B1789E820237DFF50E7AE88BCB7C240A870EE286BA3B919F1FB33E60950BA94B2DE67560B94583CF12C5283B5587E897A55B1E867D920CCC6
Malicious:	false
Preview:	7....-...........8o./.i\|.6;..............8o./.i\|a.%.a..h................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.4773375654060485
Encrypted:	false
SSDEEP:	192:/nPOeRnLYbBp6bJ0aX+n6SEXKVTNmj45RHWNBw8dNSl:3DeyJU6wpHHEwi0
MD5:	4BE40E97909FD1CBA229AAEFE685D677
SHA1:	4D688F66F88E85207CF53ECC3F54A2E3C54E1269
SHA-256:	E843C360603803DF14B76B65E678203F32DEBBE583D2F71C191BC3EFC449892D
SHA-512:	8F88DFA3706991EBD3C37AF9107515DEEDB94BB47F17CBD28DB5D01DED1E017C9B708CCFF9A34A79F3CD25DE592CE6A161F2A8A2B27124740D017D7F6DC65674
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730420645);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730420645);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730420645);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173042

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.4773375654060485
Encrypted:	false
SSDEEP:	192:/nPOeRnLYbBp6bJ0aX+n6SEXKVTNmj45RHWNBw8dNSl:3DeyJU6wpHHEwi0
MD5:	4BE40E97909FD1CBA229AAEFE685D677
SHA1:	4D688F66F88E85207CF53ECC3F54A2E3C54E1269
SHA-256:	E843C360603803DF14B76B65E678203F32DEBBE583D2F71C191BC3EFC449892D
SHA-512:	8F88DFA3706991EBD3C37AF9107515DEEDB94BB47F17CBD28DB5D01DED1E017C9B708CCFF9A34A79F3CD25DE592CE6A161F2A8A2B27124740D017D7F6DC65674
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730420645);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730420645);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730420645);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173042

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\464d18da-0074-4fdb-b2c0-eed6c501c82e (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.934477592999469
Encrypted:	false
SSDEEP:	12:YZFgjvJUBIe21IVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YPT21SlCOlZGV1AQIWZcy6ZXvx
MD5:	CD19A0A28D22C0C28944AD6115D10CEA
SHA1:	DA026C4FD1FBF02F9365E8A15FC4889EB431068A
SHA-256:	B5A726DA2CAFABFF754F712A28EFD9BCD8260CC00D73F06213466349DDC35546
SHA-512:	3ABFFAD47FC53D12D9618247A9E9477E355901A144E443C99E7908C23F1734618429247207D10BCAE9D4CEE5A98C9856442FDE587CA247D141D80AAAC18230AC
Malicious:	false
Preview:	{"type":"health","id":"464d18da-0074-4fdb-b2c0-eed6c501c82e","creationDate":"2024-11-01T00:24:35.465Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\464d18da-0074-4fdb-b2c0-eed6c501c82e.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.934477592999469
Encrypted:	false
SSDEEP:	12:YZFgjvJUBIe21IVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YPT21SlCOlZGV1AQIWZcy6ZXvx
MD5:	CD19A0A28D22C0C28944AD6115D10CEA
SHA1:	DA026C4FD1FBF02F9365E8A15FC4889EB431068A
SHA-256:	B5A726DA2CAFABFF754F712A28EFD9BCD8260CC00D73F06213466349DDC35546
SHA-512:	3ABFFAD47FC53D12D9618247A9E9477E355901A144E443C99E7908C23F1734618429247207D10BCAE9D4CEE5A98C9856442FDE587CA247D141D80AAAC18230AC
Malicious:	false
Preview:	{"type":"health","id":"464d18da-0074-4fdb-b2c0-eed6c501c82e","creationDate":"2024-11-01T00:24:35.465Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.34022991789137
Encrypted:	false
SSDEEP:	48:GUpOxZ9MrnRcoegLU3erjxT4JwcnO6BtT:AHERFTQG4mcOe
MD5:	03D17C810A44EDEE2B1F1AA290B0A88D
SHA1:	B05CA5D7E5BC87FB0174D666C45663C0DFB927DC
SHA-256:	F5C5CC35CE3513328186AAEC70E9AC3EC4BC28AD22EA3E3B09FDE3A2FAE45D24
SHA-512:	6278539D993F90DA004AC2834F9A19CE663EF08AE9154428E0726CE9CE19FF854D67D10F247B41B35CA2E8C3B797D95D9D8A3EF7DF4CB35F3C725EC8D2152AFC
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{60561eda-1b11-427a-a509-5a0617ae6b6f}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730420649775,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P14614...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...21598,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.34022991789137
Encrypted:	false
SSDEEP:	48:GUpOxZ9MrnRcoegLU3erjxT4JwcnO6BtT:AHERFTQG4mcOe
MD5:	03D17C810A44EDEE2B1F1AA290B0A88D
SHA1:	B05CA5D7E5BC87FB0174D666C45663C0DFB927DC
SHA-256:	F5C5CC35CE3513328186AAEC70E9AC3EC4BC28AD22EA3E3B09FDE3A2FAE45D24
SHA-512:	6278539D993F90DA004AC2834F9A19CE663EF08AE9154428E0726CE9CE19FF854D67D10F247B41B35CA2E8C3B797D95D9D8A3EF7DF4CB35F3C725EC8D2152AFC
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{60561eda-1b11-427a-a509-5a0617ae6b6f}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730420649775,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P14614...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...21598,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.34022991789137
Encrypted:	false
SSDEEP:	48:GUpOxZ9MrnRcoegLU3erjxT4JwcnO6BtT:AHERFTQG4mcOe
MD5:	03D17C810A44EDEE2B1F1AA290B0A88D
SHA1:	B05CA5D7E5BC87FB0174D666C45663C0DFB927DC
SHA-256:	F5C5CC35CE3513328186AAEC70E9AC3EC4BC28AD22EA3E3B09FDE3A2FAE45D24
SHA-512:	6278539D993F90DA004AC2834F9A19CE663EF08AE9154428E0726CE9CE19FF854D67D10F247B41B35CA2E8C3B797D95D9D8A3EF7DF4CB35F3C725EC8D2152AFC
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{60561eda-1b11-427a-a509-5a0617ae6b6f}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730420649775,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P14614...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...21598,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028426976381448
Encrypted:	false
SSDEEP:	96:ycK+MTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:03TEr5NX0z3DhRe
MD5:	CDAE3EEF2840FDB6866B5086C7B82E22
SHA1:	83FC4AA7BBFA9DF9005EE1EA8D80EF7FB6AF019A
SHA-256:	F53D83A7678EE836725A20ABA53814C669C0F27D71C543B0F0BAB17497FA03FD
SHA-512:	D84238294E639CDCF81B87D3EC1597D016AA1ACDA60ECC8D8A3EFC31A8BE5C3DB5419E53155E928BF8967698B40E0A6A259F794811F224E68D6E508AE187C64A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-01T00:23:44.044Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.028426976381448
Encrypted:	false
SSDEEP:	96:ycK+MTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:03TEr5NX0z3DhRe
MD5:	CDAE3EEF2840FDB6866B5086C7B82E22
SHA1:	83FC4AA7BBFA9DF9005EE1EA8D80EF7FB6AF019A
SHA-256:	F53D83A7678EE836725A20ABA53814C669C0F27D71C543B0F0BAB17497FA03FD
SHA-512:	D84238294E639CDCF81B87D3EC1597D016AA1ACDA60ECC8D8A3EFC31A8BE5C3DB5419E53155E928BF8967698B40E0A6A259F794811F224E68D6E508AE187C64A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-01T00:23:44.044Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584675397091212
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	cd6ad64420e0649dd184452ac6482a48
SHA1:	74074b5f08137389c4a709cbdff7a041a76d19cc
SHA256:	9117394486ae8f394f5cedd8280ac81d48d51edfdc4ebf9b131a10894d51235e
SHA512:	781d4ede0f408b7be97cdc51e11077d5918b884be3ac37d3fcde121f9b5f7bde0bfd41cedd450c37b0ca1f0d5152f9f54b867609f4c3727ba96560a9e0197954
SSDEEP:	12288:JqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TT:JqDEvCTbMWu7rQYlBQcBiT6rprG8abT
TLSH:	0E159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67240BD8 [Thu Oct 31 22:59:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F15717B2D73h
jmp 00007F15717B267Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F15717B285Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F15717B282Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F15717B541Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F15717B5468h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F15717B5451h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	5f1eb387ff9e57b52070961ca314706c	False	0.31561511075949367	data	5.374054012504286	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T00:13:13.877669+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49736	TCP
2024-11-01T00:13:52.751023+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49965	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 00:13:01.087516069 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:01.087548018 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:01.087719917 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:01.103281021 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:01.103319883 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:01.731590033 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:01.739346981 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:01.740122080 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:01.784908056 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:01.784923077 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:01.785041094 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:01.785259962 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:01.786453962 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:01.832103014 CET	49711	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:01.832137108 CET	443	49711	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:01.832418919 CET	49712	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:01.832446098 CET	443	49712	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:01.833924055 CET	49711	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:01.833966017 CET	49712	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:01.838459969 CET	49711	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:01.838473082 CET	443	49711	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:01.840481043 CET	49712	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:01.840501070 CET	443	49712	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:01.870608091 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:01.875458002 CET	80	49713	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:01.876557112 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:01.876661062 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:01.881424904 CET	80	49713	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:02.179184914 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.179227114 CET	443	49714	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.180427074 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.182043076 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.182059050 CET	443	49714	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.223921061 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.223953962 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.224138021 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.225440979 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.225455999 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.226104975 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:02.226125956 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:02.226546049 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:02.226661921 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:02.226675987 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:02.463252068 CET	80	49713	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:02.518110037 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:02.700093031 CET	443	49712	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:02.700937033 CET	443	49712	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:02.702869892 CET	443	49711	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:02.703181982 CET	49712	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:02.703197956 CET	443	49712	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:02.703224897 CET	49711	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:02.703517914 CET	443	49711	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:02.718771935 CET	49711	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:02.718784094 CET	443	49711	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:02.722306013 CET	49712	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:02.722317934 CET	443	49712	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:02.722399950 CET	49712	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:02.722491980 CET	443	49712	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:02.734396935 CET	49712	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:02.737746000 CET	49711	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:02.737759113 CET	443	49711	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:02.737831116 CET	49711	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:02.738051891 CET	443	49711	142.250.185.238	192.168.2.5
Nov 1, 2024 00:13:02.750019073 CET	49711	443	192.168.2.5	142.250.185.238
Nov 1, 2024 00:13:02.797029018 CET	443	49714	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.803798914 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.836349964 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.838139057 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.838177919 CET	443	49714	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.838258028 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.838311911 CET	443	49714	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.838649035 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.838682890 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.838967085 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.839004040 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.839005947 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.846218109 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:02.850578070 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:02.861892939 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:02.861911058 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:02.862210989 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:02.863043070 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.863059044 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.865540981 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.865560055 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.865765095 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.865823984 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.866194963 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.866631031 CET	49719	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.866648912 CET	443	49719	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:02.868908882 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:02.868993044 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:02.869091034 CET	443	49716	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:02.871859074 CET	49716	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:02.871871948 CET	49719	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.873172998 CET	49719	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:02.873184919 CET	443	49719	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:03.093559027 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.098756075 CET	80	49713	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:03.100586891 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.104501009 CET	49720	443	192.168.2.5	34.160.144.191
Nov 1, 2024 00:13:03.104551077 CET	443	49720	34.160.144.191	192.168.2.5
Nov 1, 2024 00:13:03.104952097 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.105335951 CET	49720	443	192.168.2.5	34.160.144.191
Nov 1, 2024 00:13:03.105456114 CET	49720	443	192.168.2.5	34.160.144.191
Nov 1, 2024 00:13:03.105473042 CET	443	49720	34.160.144.191	192.168.2.5
Nov 1, 2024 00:13:03.109847069 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:03.114509106 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.114639044 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.119406939 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:03.148593903 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.153518915 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:03.153625011 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.153772116 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.158520937 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:03.505048990 CET	443	49719	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:03.505157948 CET	49719	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.507596970 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:03.507687092 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.511042118 CET	49719	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.511065960 CET	443	49719	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:03.511135101 CET	49719	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.511212111 CET	443	49719	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:03.511337996 CET	49719	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.512033939 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.512042046 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:03.512108088 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.512284994 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:03.512383938 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.702162027 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:03.745887041 CET	443	49720	34.160.144.191	192.168.2.5
Nov 1, 2024 00:13:03.745960951 CET	49720	443	192.168.2.5	34.160.144.191
Nov 1, 2024 00:13:03.747726917 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:03.751837969 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.781831980 CET	49720	443	192.168.2.5	34.160.144.191
Nov 1, 2024 00:13:03.781879902 CET	443	49720	34.160.144.191	192.168.2.5
Nov 1, 2024 00:13:03.782080889 CET	443	49720	34.160.144.191	192.168.2.5
Nov 1, 2024 00:13:03.789094925 CET	49720	443	192.168.2.5	34.160.144.191
Nov 1, 2024 00:13:03.789174080 CET	49720	443	192.168.2.5	34.160.144.191
Nov 1, 2024 00:13:03.789241076 CET	443	49720	34.160.144.191	192.168.2.5
Nov 1, 2024 00:13:03.789313078 CET	49720	443	192.168.2.5	34.160.144.191
Nov 1, 2024 00:13:03.798707008 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.946105957 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:03.946398020 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.946445942 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:03.949501991 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.950897932 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:03.950913906 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:04.037549973 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:04.202466965 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:04.202513933 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:04.320846081 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:04.321958065 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:04.369183064 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:04.369191885 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:04.808808088 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:04.809264898 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:04.813822985 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:04.813836098 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:04.813949108 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:04.814019918 CET	443	49723	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:04.814301014 CET	49725	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:04.814342022 CET	443	49725	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:04.814364910 CET	49723	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:04.814466953 CET	49725	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:04.815792084 CET	49725	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:04.815808058 CET	443	49725	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:05.428509951 CET	443	49725	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:05.431821108 CET	49725	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:05.459491014 CET	49725	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:05.459517002 CET	443	49725	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:05.459578991 CET	49725	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:05.459670067 CET	443	49725	34.117.188.166	192.168.2.5
Nov 1, 2024 00:13:05.460146904 CET	49725	443	192.168.2.5	34.117.188.166
Nov 1, 2024 00:13:06.631548882 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:06.636348963 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:06.648020029 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:06.652837992 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:06.755091906 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:06.790302038 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:06.797611952 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:06.851068974 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:06.969007969 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:06.973892927 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:06.998514891 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:06.998558998 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:07.000979900 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:07.002429962 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:07.002456903 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:07.009247065 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.009283066 CET	443	49729	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:07.010665894 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.014013052 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.014038086 CET	443	49729	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:07.043284893 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:07.043324947 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:07.043912888 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:07.044195890 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:07.044204950 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:07.053029060 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:07.053070068 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:07.053595066 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:07.054965973 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:07.054980993 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:07.091789007 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:07.136288881 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:07.613270998 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:07.613352060 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:07.617588997 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:07.617609024 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:07.617681980 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:07.617763996 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:07.618021965 CET	443	49729	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:07.619443893 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:07.619465113 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.623437881 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.623456955 CET	443	49729	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:07.623508930 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.623662949 CET	443	49729	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:07.627240896 CET	49729	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.628772974 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:07.635080099 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:07.653868914 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:07.659327030 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:07.663801908 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:07.666313887 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:07.666322947 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:07.666574955 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:07.668365002 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:07.668422937 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:07.668487072 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:07.670021057 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:07.670021057 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:07.671214104 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.671241999 CET	443	49732	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:07.673659086 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.677263975 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.677278996 CET	443	49732	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:07.693099976 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:07.699343920 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:07.705043077 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:07.735451937 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:07.735466957 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:07.735564947 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:07.735920906 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:07.736171007 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:07.754712105 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:07.809345007 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:07.947173119 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:07.953794003 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:07.985110998 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.985212088 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:07.985829115 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.986120939 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.986156940 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:07.990644932 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.990681887 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:07.990855932 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.991056919 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:07.991069078 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:08.241647005 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:08.287190914 CET	443	49732	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:08.287291050 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:08.294635057 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:08.337075949 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:08.337107897 CET	443	49732	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:08.337183952 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:08.337308884 CET	443	49732	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:08.338193893 CET	49732	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:08.340109110 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:08.342401028 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:08.342462063 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:08.342632055 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:08.343913078 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:08.343947887 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:08.347356081 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:08.466661930 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:08.469679117 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:08.477077007 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:08.510834932 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:08.595092058 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:08.641268015 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:08.837393045 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:08.837490082 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:08.854469061 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:08.857717991 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:08.957993031 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:08.960596085 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.043993950 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.044040918 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:09.044349909 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:09.046516895 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.046542883 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:09.046838999 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:09.050142050 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.050251007 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.050332069 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:09.050606966 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.050667048 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.050805092 CET	443	49734	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:09.052809954 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.052829981 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:09.052891970 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.053118944 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:09.054192066 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.054203987 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.054228067 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.054244041 CET	49734	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.054275036 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:09.054663897 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:09.060888052 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:09.180515051 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:09.191437960 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:09.196419954 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:09.243042946 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:09.318135977 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:09.381055117 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:13.894726992 CET	49742	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:13.894759893 CET	443	49742	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:13.895337105 CET	49742	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:13.896847963 CET	49742	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:13.896862984 CET	443	49742	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:14.515144110 CET	443	49742	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:14.515218019 CET	49742	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:14.905864954 CET	49742	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:14.905884981 CET	443	49742	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:14.905935049 CET	49742	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:14.906192064 CET	443	49742	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:14.908889055 CET	49742	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:15.431675911 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:15.436487913 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:15.557404041 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:15.598552942 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:16.470774889 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:16.476946115 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:16.595149994 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:16.648271084 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:25.533446074 CET	49809	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:25.533485889 CET	443	49809	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:25.533684969 CET	49809	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:25.535693884 CET	49809	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:25.535707951 CET	443	49809	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:25.558155060 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:25.563477993 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:26.157152891 CET	443	49809	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:26.157361031 CET	49809	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:26.170942068 CET	49809	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:26.170959949 CET	443	49809	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:26.171145916 CET	49809	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:26.171184063 CET	443	49809	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:26.173285007 CET	49809	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:26.174998999 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:26.181596041 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:26.301183939 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:26.304621935 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:26.309571028 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:26.344561100 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:26.428344965 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:26.476078033 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:29.889663935 CET	49834	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:29.889739990 CET	443	49834	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:29.892219067 CET	49834	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:29.892318010 CET	49834	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:29.892334938 CET	443	49834	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:29.897037029 CET	49835	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:29.897059917 CET	443	49835	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:29.897699118 CET	49835	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:29.897780895 CET	49835	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:29.897799969 CET	443	49835	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:29.905611038 CET	49836	443	192.168.2.5	151.101.1.91
Nov 1, 2024 00:13:29.905638933 CET	443	49836	151.101.1.91	192.168.2.5
Nov 1, 2024 00:13:29.906219006 CET	49836	443	192.168.2.5	151.101.1.91
Nov 1, 2024 00:13:29.906330109 CET	49836	443	192.168.2.5	151.101.1.91
Nov 1, 2024 00:13:29.906343937 CET	443	49836	151.101.1.91	192.168.2.5
Nov 1, 2024 00:13:30.387443066 CET	49840	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:30.387466908 CET	443	49840	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:30.399209023 CET	49840	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:30.400841951 CET	49840	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:30.400854111 CET	443	49840	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:30.407531977 CET	49841	443	192.168.2.5	35.201.103.21
Nov 1, 2024 00:13:30.407565117 CET	443	49841	35.201.103.21	192.168.2.5
Nov 1, 2024 00:13:30.414848089 CET	49841	443	192.168.2.5	35.201.103.21
Nov 1, 2024 00:13:30.416301012 CET	49841	443	192.168.2.5	35.201.103.21
Nov 1, 2024 00:13:30.416311979 CET	443	49841	35.201.103.21	192.168.2.5
Nov 1, 2024 00:13:30.507285118 CET	443	49835	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:30.507385969 CET	49835	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:30.510945082 CET	49835	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:30.510956049 CET	443	49835	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:30.511198044 CET	443	49835	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:30.511492968 CET	443	49834	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:30.512026072 CET	49834	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.514847994 CET	49834	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.514866114 CET	443	49834	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:30.515113115 CET	443	49834	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:30.517102003 CET	49835	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:30.517190933 CET	49835	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:30.517273903 CET	443	49835	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:30.518327951 CET	49834	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.518390894 CET	49834	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.518466949 CET	443	49834	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:30.520376921 CET	49834	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.520391941 CET	49835	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:30.520406961 CET	49834	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.522325993 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:30.522831917 CET	443	49836	151.101.1.91	192.168.2.5
Nov 1, 2024 00:13:30.523689032 CET	49836	443	192.168.2.5	151.101.1.91
Nov 1, 2024 00:13:30.525867939 CET	49836	443	192.168.2.5	151.101.1.91
Nov 1, 2024 00:13:30.525877953 CET	443	49836	151.101.1.91	192.168.2.5
Nov 1, 2024 00:13:30.526879072 CET	443	49836	151.101.1.91	192.168.2.5
Nov 1, 2024 00:13:30.528569937 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:30.528647900 CET	49836	443	192.168.2.5	151.101.1.91
Nov 1, 2024 00:13:30.528731108 CET	49836	443	192.168.2.5	151.101.1.91
Nov 1, 2024 00:13:30.528866053 CET	443	49836	151.101.1.91	192.168.2.5
Nov 1, 2024 00:13:30.530716896 CET	49836	443	192.168.2.5	151.101.1.91
Nov 1, 2024 00:13:30.536307096 CET	49844	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.536339998 CET	443	49844	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:30.536878109 CET	49844	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.537009001 CET	49844	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.537020922 CET	443	49844	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:30.538142920 CET	49845	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.538167953 CET	443	49845	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:30.538402081 CET	49845	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.538505077 CET	49845	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.538516998 CET	443	49845	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:30.540466070 CET	49846	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.540476084 CET	443	49846	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:30.544217110 CET	49846	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.544325113 CET	49846	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:30.544332027 CET	443	49846	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:30.655391932 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:30.660434008 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:30.666964054 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:30.700047016 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:30.803128958 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:30.847270966 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:31.013816118 CET	443	49840	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:31.013833046 CET	443	49840	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:31.016541958 CET	49840	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:31.025079012 CET	49840	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:31.025091887 CET	443	49840	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:31.025191069 CET	49840	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:31.025305986 CET	443	49840	35.190.72.216	192.168.2.5
Nov 1, 2024 00:13:31.029035091 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:31.029980898 CET	49840	443	192.168.2.5	35.190.72.216
Nov 1, 2024 00:13:31.035712957 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.059556007 CET	443	49841	35.201.103.21	192.168.2.5
Nov 1, 2024 00:13:31.059571981 CET	443	49841	35.201.103.21	192.168.2.5
Nov 1, 2024 00:13:31.059658051 CET	49841	443	192.168.2.5	35.201.103.21
Nov 1, 2024 00:13:31.062936068 CET	49841	443	192.168.2.5	35.201.103.21
Nov 1, 2024 00:13:31.062944889 CET	443	49841	35.201.103.21	192.168.2.5
Nov 1, 2024 00:13:31.063029051 CET	49841	443	192.168.2.5	35.201.103.21
Nov 1, 2024 00:13:31.063144922 CET	443	49841	35.201.103.21	192.168.2.5
Nov 1, 2024 00:13:31.063225985 CET	49841	443	192.168.2.5	35.201.103.21
Nov 1, 2024 00:13:31.074253082 CET	49847	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:31.074292898 CET	443	49847	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:31.074381113 CET	49847	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:31.074506998 CET	49847	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:31.074520111 CET	443	49847	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:31.155735970 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.158586025 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:31.163419962 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.163959026 CET	443	49846	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.168040991 CET	49846	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.168358088 CET	443	49844	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.168746948 CET	443	49845	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.170929909 CET	49846	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.170947075 CET	443	49846	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.171241045 CET	443	49846	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.171580076 CET	49844	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.171585083 CET	49845	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.174012899 CET	49845	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.174021006 CET	443	49845	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.174256086 CET	443	49845	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.176130056 CET	49844	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.176145077 CET	443	49844	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.176363945 CET	443	49844	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.178420067 CET	49846	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.178535938 CET	49846	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.178586960 CET	443	49846	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.179802895 CET	49845	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.179867029 CET	49845	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.179961920 CET	443	49845	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.180459023 CET	49844	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.180516958 CET	49844	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.180588961 CET	443	49844	35.244.181.201	192.168.2.5
Nov 1, 2024 00:13:31.185054064 CET	49844	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.185081005 CET	49846	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.185087919 CET	49845	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.185101032 CET	49844	443	192.168.2.5	35.244.181.201
Nov 1, 2024 00:13:31.187114000 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:31.193403959 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.281542063 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.313081026 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.315496922 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:31.320353985 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.364047050 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:31.438179016 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.486479998 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:31.694113016 CET	443	49847	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:31.694195032 CET	49847	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:31.697531939 CET	49847	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:31.697546959 CET	443	49847	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:31.697803974 CET	443	49847	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:31.700397015 CET	49847	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:31.700505972 CET	49847	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:31.700572014 CET	443	49847	34.149.100.209	192.168.2.5
Nov 1, 2024 00:13:31.701587915 CET	49847	443	192.168.2.5	34.149.100.209
Nov 1, 2024 00:13:31.703527927 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:31.708348989 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.828183889 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.831439018 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:31.836880922 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:31.875277996 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:31.954818010 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:32.003525972 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:41.839082956 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:41.845968962 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:41.955182076 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:41.961857080 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:46.502423048 CET	49937	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:46.502463102 CET	443	49937	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:46.502623081 CET	49937	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:46.503977060 CET	49937	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:46.503992081 CET	443	49937	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:47.147420883 CET	443	49937	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:47.147524118 CET	49937	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:47.152439117 CET	49937	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:47.152451992 CET	443	49937	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:47.152550936 CET	49937	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:47.152612925 CET	443	49937	34.107.243.93	192.168.2.5
Nov 1, 2024 00:13:47.152667999 CET	49937	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:13:47.155035019 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:47.163336039 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:47.283307076 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:47.286145926 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:47.290872097 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:47.339342117 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:47.409312010 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:47.455216885 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:57.299400091 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:57.305838108 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:57.421890020 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:13:57.428730965 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:13:59.978228092 CET	50011	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:59.978259087 CET	443	50011	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:59.978465080 CET	50012	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:59.978496075 CET	443	50012	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:59.978856087 CET	50011	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:59.979003906 CET	50012	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:59.979003906 CET	50011	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:59.979015112 CET	443	50011	34.120.208.123	192.168.2.5
Nov 1, 2024 00:13:59.979162931 CET	50012	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:13:59.979175091 CET	443	50012	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.589056969 CET	443	50012	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.589154005 CET	50012	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.590079069 CET	443	50011	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.591985941 CET	50012	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.591995001 CET	443	50012	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.592293024 CET	443	50012	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.592454910 CET	50011	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.594870090 CET	50011	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.594880104 CET	443	50011	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.595115900 CET	443	50011	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.597450972 CET	50012	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.597558975 CET	50012	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.597654104 CET	443	50012	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.598215103 CET	50011	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.598278046 CET	50011	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.598357916 CET	443	50011	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.598387003 CET	50012	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.598433971 CET	50011	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.626013994 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:00.627686024 CET	50017	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.627723932 CET	443	50017	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.629163027 CET	50017	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.629312992 CET	50017	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.629328012 CET	443	50017	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.632519960 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:00.634119987 CET	50018	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.634150028 CET	443	50018	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.634462118 CET	50018	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.634582996 CET	50018	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.634592056 CET	443	50018	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.658030033 CET	50019	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.658046007 CET	443	50019	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.658416986 CET	50019	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.658519983 CET	50019	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:00.658529043 CET	443	50019	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:00.752156019 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:00.755481005 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:00.761782885 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:00.793802023 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:00.880244017 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:00.931901932 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:01.250433922 CET	443	50017	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.250533104 CET	50017	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.252923012 CET	50017	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.252933025 CET	443	50017	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.253132105 CET	443	50017	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.254791975 CET	50017	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.254889965 CET	50017	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.254952908 CET	443	50017	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.254997969 CET	50017	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.256635904 CET	443	50018	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.256876945 CET	50018	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.259243965 CET	50018	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.259254932 CET	443	50018	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.259540081 CET	443	50018	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.259569883 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:01.261589050 CET	50018	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.261666059 CET	50018	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.261759996 CET	443	50018	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.262082100 CET	50018	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.266150951 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:01.271187067 CET	443	50019	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.271280050 CET	50019	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.273843050 CET	50019	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.273848057 CET	443	50019	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.274162054 CET	443	50019	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.275595903 CET	50019	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.275676966 CET	50019	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.275758982 CET	443	50019	34.120.208.123	192.168.2.5
Nov 1, 2024 00:14:01.275810003 CET	50019	443	192.168.2.5	34.120.208.123
Nov 1, 2024 00:14:01.386080027 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:01.388935089 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:01.393815041 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:01.433324099 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:01.511974096 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:01.564863920 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:11.391511917 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:11.396356106 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:11.489473104 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:11.494365931 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:11.523056030 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:11.527839899 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:11.613854885 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:11.616955996 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:11.621752024 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:11.661125898 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:11.739897013 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:11.792655945 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:21.620573044 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:21.627455950 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:21.752238989 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:21.758985043 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:27.415425062 CET	50027	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:14:27.415471077 CET	443	50027	34.107.243.93	192.168.2.5
Nov 1, 2024 00:14:27.416858912 CET	50027	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:14:27.418390989 CET	50027	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:14:27.418410063 CET	443	50027	34.107.243.93	192.168.2.5
Nov 1, 2024 00:14:28.027185917 CET	443	50027	34.107.243.93	192.168.2.5
Nov 1, 2024 00:14:28.027268887 CET	50027	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:14:28.032063961 CET	50027	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:14:28.032074928 CET	443	50027	34.107.243.93	192.168.2.5
Nov 1, 2024 00:14:28.032181025 CET	50027	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:14:28.032277107 CET	443	50027	34.107.243.93	192.168.2.5
Nov 1, 2024 00:14:28.034987926 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:28.035202980 CET	50027	443	192.168.2.5	34.107.243.93
Nov 1, 2024 00:14:28.041465044 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:28.164525032 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:28.168251991 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:28.174688101 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:28.208549023 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:28.292807102 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:28.340146065 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:38.168042898 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:38.172974110 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:38.299653053 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:38.304601908 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:48.181488991 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:48.186405897 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:48.312988997 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:48.317866087 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:58.193893909 CET	49722	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:58.198807001 CET	80	49722	34.107.221.82	192.168.2.5
Nov 1, 2024 00:14:58.325356960 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 00:14:58.330166101 CET	80	49721	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 00:13:01.098440886 CET	58401	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:01.105496883 CET	53	58401	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:01.142208099 CET	49913	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:01.150074005 CET	53	49913	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:01.775242090 CET	63057	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:01.779207945 CET	61993	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:01.786086082 CET	53	61993	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:01.815893888 CET	58299	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:01.822937012 CET	53	58299	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:01.845869064 CET	53818	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:01.846954107 CET	63299	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:01.852710962 CET	53	53818	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:01.853634119 CET	53	63299	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:01.871814966 CET	49898	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:01.878449917 CET	53	49898	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:02.169615984 CET	59015	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:02.176723003 CET	53	59015	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:02.179522991 CET	51811	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:02.186537027 CET	53	51811	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:02.189169884 CET	55788	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:02.195689917 CET	53	55788	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:02.212447882 CET	61627	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:02.219322920 CET	53	61627	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:02.224049091 CET	59918	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:02.227461100 CET	60687	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:02.231487989 CET	53	59918	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:02.234947920 CET	53	60687	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:02.245043993 CET	51166	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:02.245311975 CET	55586	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:02.252119064 CET	53	51166	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:02.252182007 CET	53	55586	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:02.472002029 CET	60785	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:02.472753048 CET	52247	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:02.479492903 CET	53	60785	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:02.480118036 CET	53	52247	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:03.085711956 CET	57170	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:03.086607933 CET	49213	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:03.093791962 CET	53	49213	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:03.114362001 CET	50450	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:03.121010065 CET	53	50450	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:03.122163057 CET	54970	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:03.129141092 CET	53	54970	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:06.626651049 CET	64044	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:06.633328915 CET	53	64044	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:06.638216019 CET	59813	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:06.645483017 CET	53	59813	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:06.661461115 CET	49583	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:06.668472052 CET	53	49583	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:06.734128952 CET	62556	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:06.761151075 CET	53	57605	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:06.784111977 CET	50361	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:06.790992975 CET	53	50361	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:06.799848080 CET	63654	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:06.806962967 CET	53	63654	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:06.809235096 CET	62327	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:06.815901041 CET	53	62327	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:07.009732962 CET	60919	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:07.016483068 CET	53	60919	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:07.031441927 CET	52077	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:07.034934044 CET	64639	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:07.037647963 CET	59633	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:07.039084911 CET	53	52077	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:07.044141054 CET	53	64639	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:07.044712067 CET	53	59633	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:07.053544044 CET	53033	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:07.060419083 CET	53	53033	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:07.065903902 CET	61724	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:07.072873116 CET	53	61724	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.925311089 CET	57463	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.925642967 CET	62273	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.925642967 CET	63975	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.931982040 CET	53	57463	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.932225943 CET	53	62273	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.932306051 CET	53	63975	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.932698965 CET	54797	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.933171034 CET	64961	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.933404922 CET	51303	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.940305948 CET	53	54797	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.940478086 CET	53	51303	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.940756083 CET	55371	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.940810919 CET	53	64961	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.941277981 CET	54498	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.941618919 CET	54620	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.947577000 CET	53	55371	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.947937012 CET	53	54498	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.948098898 CET	52360	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.948395014 CET	53	54620	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.948524952 CET	62468	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.957389116 CET	53	62468	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.957595110 CET	53	52360	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.957914114 CET	59513	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.958374977 CET	55003	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.964999914 CET	53	59513	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.965379000 CET	61260	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.970582962 CET	53	55003	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.971041918 CET	65535	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:11.972333908 CET	53	61260	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:11.978001118 CET	53	65535	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:13.639560938 CET	53635	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:13.646377087 CET	53	53635	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:25.533612967 CET	59204	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:25.540345907 CET	53	59204	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:29.890782118 CET	63330	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:29.895441055 CET	59334	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:29.900765896 CET	53	63330	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:29.904927969 CET	53	59334	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:29.906162024 CET	52635	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:29.916738987 CET	53	52635	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:29.917258978 CET	65035	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:29.930772066 CET	53	65035	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:30.394023895 CET	57380	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:30.403004885 CET	53	57380	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:30.408479929 CET	57116	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:30.418627024 CET	53	57116	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:30.431417942 CET	65210	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:30.439482927 CET	53	65210	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:46.493221998 CET	52550	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:46.501530886 CET	53	52550	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:46.502075911 CET	59220	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:46.510369062 CET	53	59220	1.1.1.1	192.168.2.5
Nov 1, 2024 00:13:59.977040052 CET	55254	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:13:59.985203981 CET	53	55254	1.1.1.1	192.168.2.5
Nov 1, 2024 00:14:00.626127005 CET	64984	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:14:11.490586042 CET	63201	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:14:11.497767925 CET	53	63201	1.1.1.1	192.168.2.5
Nov 1, 2024 00:14:27.414401054 CET	60778	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:14:27.422770977 CET	53	60778	1.1.1.1	192.168.2.5
Nov 1, 2024 00:14:27.423887014 CET	63463	53	192.168.2.5	1.1.1.1
Nov 1, 2024 00:14:27.432286978 CET	53	63463	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 00:13:01.098440886 CET	192.168.2.5	1.1.1.1	0xccd6	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.142208099 CET	192.168.2.5	1.1.1.1	0xafda	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 00:13:01.775242090 CET	192.168.2.5	1.1.1.1	0x4b02	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.779207945 CET	192.168.2.5	1.1.1.1	0xf7ce	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.815893888 CET	192.168.2.5	1.1.1.1	0xe872	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.845869064 CET	192.168.2.5	1.1.1.1	0xb6e4	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 00:13:01.846954107 CET	192.168.2.5	1.1.1.1	0xef56	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.871814966 CET	192.168.2.5	1.1.1.1	0x75e8	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:02.169615984 CET	192.168.2.5	1.1.1.1	0x2641	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.179522991 CET	192.168.2.5	1.1.1.1	0x9610	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.189169884 CET	192.168.2.5	1.1.1.1	0xc402	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:02.212447882 CET	192.168.2.5	1.1.1.1	0x2b9a	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.224049091 CET	192.168.2.5	1.1.1.1	0x612b	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.227461100 CET	192.168.2.5	1.1.1.1	0x2474	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.245043993 CET	192.168.2.5	1.1.1.1	0x83a4	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 00:13:02.245311975 CET	192.168.2.5	1.1.1.1	0x7ced	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 00:13:02.472002029 CET	192.168.2.5	1.1.1.1	0x5719	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.472753048 CET	192.168.2.5	1.1.1.1	0xa586	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:03.085711956 CET	192.168.2.5	1.1.1.1	0xe545	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:03.086607933 CET	192.168.2.5	1.1.1.1	0x9e7e	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:03.114362001 CET	192.168.2.5	1.1.1.1	0x80ff	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:03.122163057 CET	192.168.2.5	1.1.1.1	0x4492	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 00:13:06.626651049 CET	192.168.2.5	1.1.1.1	0x6d90	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:06.638216019 CET	192.168.2.5	1.1.1.1	0x50e1	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:06.661461115 CET	192.168.2.5	1.1.1.1	0x4863	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 00:13:06.734128952 CET	192.168.2.5	1.1.1.1	0x60d7	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:06.784111977 CET	192.168.2.5	1.1.1.1	0x6f45	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:06.799848080 CET	192.168.2.5	1.1.1.1	0xb5cb	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:06.809235096 CET	192.168.2.5	1.1.1.1	0x3e46	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:07.009732962 CET	192.168.2.5	1.1.1.1	0x33cd	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:07.031441927 CET	192.168.2.5	1.1.1.1	0x1d7b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:07.034934044 CET	192.168.2.5	1.1.1.1	0x3f13	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 00:13:07.037647963 CET	192.168.2.5	1.1.1.1	0xca86	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:07.053544044 CET	192.168.2.5	1.1.1.1	0xc5e6	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:07.065903902 CET	192.168.2.5	1.1.1.1	0x4729	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 00:13:11.925311089 CET	192.168.2.5	1.1.1.1	0xdbe7	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.925642967 CET	192.168.2.5	1.1.1.1	0x2c3f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.925642967 CET	192.168.2.5	1.1.1.1	0x2f2b	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932698965 CET	192.168.2.5	1.1.1.1	0x63d2	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.933171034 CET	192.168.2.5	1.1.1.1	0xb4f0	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.933404922 CET	192.168.2.5	1.1.1.1	0xbe85	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940756083 CET	192.168.2.5	1.1.1.1	0x158e	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:11.941277981 CET	192.168.2.5	1.1.1.1	0x2bba	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:11.941618919 CET	192.168.2.5	1.1.1.1	0x334d	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 1, 2024 00:13:11.948098898 CET	192.168.2.5	1.1.1.1	0x35d0	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.948524952 CET	192.168.2.5	1.1.1.1	0x592	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.957914114 CET	192.168.2.5	1.1.1.1	0x79c6	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.958374977 CET	192.168.2.5	1.1.1.1	0xa326	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.965379000 CET	192.168.2.5	1.1.1.1	0x101b	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:11.971041918 CET	192.168.2.5	1.1.1.1	0x5497	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 1, 2024 00:13:13.639560938 CET	192.168.2.5	1.1.1.1	0xc245	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:25.533612967 CET	192.168.2.5	1.1.1.1	0x29b9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:29.890782118 CET	192.168.2.5	1.1.1.1	0xf83b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 00:13:29.895441055 CET	192.168.2.5	1.1.1.1	0x9bc5	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.906162024 CET	192.168.2.5	1.1.1.1	0xd21a	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.917258978 CET	192.168.2.5	1.1.1.1	0xbd34	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 1, 2024 00:13:30.394023895 CET	192.168.2.5	1.1.1.1	0x8034	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:30.408479929 CET	192.168.2.5	1.1.1.1	0x4c5d	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:30.431417942 CET	192.168.2.5	1.1.1.1	0x2c07	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:46.493221998 CET	192.168.2.5	1.1.1.1	0x583e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:46.502075911 CET	192.168.2.5	1.1.1.1	0x3645	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 00:13:59.977040052 CET	192.168.2.5	1.1.1.1	0x1f30	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 00:14:00.626127005 CET	192.168.2.5	1.1.1.1	0x46c7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:14:11.490586042 CET	192.168.2.5	1.1.1.1	0x1473	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 00:14:27.414401054 CET	192.168.2.5	1.1.1.1	0xc9bb	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:14:27.423887014 CET	192.168.2.5	1.1.1.1	0x2338	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 00:13:01.083340883 CET	1.1.1.1	192.168.2.5	0xbea9	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.105496883 CET	1.1.1.1	192.168.2.5	0xccd6	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.782198906 CET	1.1.1.1	192.168.2.5	0x4b02	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:01.782198906 CET	1.1.1.1	192.168.2.5	0x4b02	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.786086082 CET	1.1.1.1	192.168.2.5	0xf7ce	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.822937012 CET	1.1.1.1	192.168.2.5	0xe872	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.852710962 CET	1.1.1.1	192.168.2.5	0xb6e4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 00:13:01.853634119 CET	1.1.1.1	192.168.2.5	0xef56	No error (0)	youtube.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:01.878449917 CET	1.1.1.1	192.168.2.5	0x75e8	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 1, 2024 00:13:02.176723003 CET	1.1.1.1	192.168.2.5	0x2641	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.186537027 CET	1.1.1.1	192.168.2.5	0x9610	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.219322920 CET	1.1.1.1	192.168.2.5	0x2b9a	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:02.219322920 CET	1.1.1.1	192.168.2.5	0x2b9a	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.224406958 CET	1.1.1.1	192.168.2.5	0x7621	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:02.224406958 CET	1.1.1.1	192.168.2.5	0x7621	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.231487989 CET	1.1.1.1	192.168.2.5	0x612b	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.234947920 CET	1.1.1.1	192.168.2.5	0x2474	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.479492903 CET	1.1.1.1	192.168.2.5	0x5719	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.480118036 CET	1.1.1.1	192.168.2.5	0xa586	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:02.480118036 CET	1.1.1.1	192.168.2.5	0xa586	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:03.092417955 CET	1.1.1.1	192.168.2.5	0xe545	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:03.092417955 CET	1.1.1.1	192.168.2.5	0xe545	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:03.093791962 CET	1.1.1.1	192.168.2.5	0x9e7e	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:03.093791962 CET	1.1.1.1	192.168.2.5	0x9e7e	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:03.093791962 CET	1.1.1.1	192.168.2.5	0x9e7e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:03.121010065 CET	1.1.1.1	192.168.2.5	0x80ff	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:03.129141092 CET	1.1.1.1	192.168.2.5	0x4492	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 00:13:06.633328915 CET	1.1.1.1	192.168.2.5	0x6d90	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:06.633328915 CET	1.1.1.1	192.168.2.5	0x6d90	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:06.633328915 CET	1.1.1.1	192.168.2.5	0x6d90	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:06.645483017 CET	1.1.1.1	192.168.2.5	0x50e1	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:06.742717028 CET	1.1.1.1	192.168.2.5	0x60d7	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:06.790992975 CET	1.1.1.1	192.168.2.5	0x6f45	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:06.806962967 CET	1.1.1.1	192.168.2.5	0xb5cb	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:07.004432917 CET	1.1.1.1	192.168.2.5	0x508f	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:07.016483068 CET	1.1.1.1	192.168.2.5	0x33cd	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:07.042459011 CET	1.1.1.1	192.168.2.5	0x74b8	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:07.042459011 CET	1.1.1.1	192.168.2.5	0x74b8	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:07.044712067 CET	1.1.1.1	192.168.2.5	0xca86	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:07.044712067 CET	1.1.1.1	192.168.2.5	0xca86	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:07.060419083 CET	1.1.1.1	192.168.2.5	0xc5e6	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:07.640696049 CET	1.1.1.1	192.168.2.5	0xb50f	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.931982040 CET	1.1.1.1	192.168.2.5	0xdbe7	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:11.931982040 CET	1.1.1.1	192.168.2.5	0xdbe7	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932225943 CET	1.1.1.1	192.168.2.5	0x2c3f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932306051 CET	1.1.1.1	192.168.2.5	0x2f2b	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:11.932306051 CET	1.1.1.1	192.168.2.5	0x2f2b	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940305948 CET	1.1.1.1	192.168.2.5	0x63d2	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940478086 CET	1.1.1.1	192.168.2.5	0xbe85	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.940810919 CET	1.1.1.1	192.168.2.5	0xb4f0	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.947577000 CET	1.1.1.1	192.168.2.5	0x158e	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 1, 2024 00:13:11.947937012 CET	1.1.1.1	192.168.2.5	0x2bba	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 00:13:11.947937012 CET	1.1.1.1	192.168.2.5	0x2bba	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 00:13:11.947937012 CET	1.1.1.1	192.168.2.5	0x2bba	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 00:13:11.947937012 CET	1.1.1.1	192.168.2.5	0x2bba	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 00:13:11.948395014 CET	1.1.1.1	192.168.2.5	0x334d	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 1, 2024 00:13:11.957389116 CET	1.1.1.1	192.168.2.5	0x592	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.957595110 CET	1.1.1.1	192.168.2.5	0x35d0	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:11.957595110 CET	1.1.1.1	192.168.2.5	0x35d0	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.957595110 CET	1.1.1.1	192.168.2.5	0x35d0	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.957595110 CET	1.1.1.1	192.168.2.5	0x35d0	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.957595110 CET	1.1.1.1	192.168.2.5	0x35d0	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.964999914 CET	1.1.1.1	192.168.2.5	0x79c6	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.970582962 CET	1.1.1.1	192.168.2.5	0xa326	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.970582962 CET	1.1.1.1	192.168.2.5	0xa326	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.970582962 CET	1.1.1.1	192.168.2.5	0xa326	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:11.970582962 CET	1.1.1.1	192.168.2.5	0xa326	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.904927969 CET	1.1.1.1	192.168.2.5	0x9bc5	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.904927969 CET	1.1.1.1	192.168.2.5	0x9bc5	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.904927969 CET	1.1.1.1	192.168.2.5	0x9bc5	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.904927969 CET	1.1.1.1	192.168.2.5	0x9bc5	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.916738987 CET	1.1.1.1	192.168.2.5	0xd21a	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.916738987 CET	1.1.1.1	192.168.2.5	0xd21a	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.916738987 CET	1.1.1.1	192.168.2.5	0xd21a	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.916738987 CET	1.1.1.1	192.168.2.5	0xd21a	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:29.930772066 CET	1.1.1.1	192.168.2.5	0xbd34	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 00:13:29.930772066 CET	1.1.1.1	192.168.2.5	0xbd34	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 00:13:29.930772066 CET	1.1.1.1	192.168.2.5	0xbd34	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 00:13:29.930772066 CET	1.1.1.1	192.168.2.5	0xbd34	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 00:13:30.403004885 CET	1.1.1.1	192.168.2.5	0x8034	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:30.403004885 CET	1.1.1.1	192.168.2.5	0x8034	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:30.418627024 CET	1.1.1.1	192.168.2.5	0x4c5d	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:31.200479031 CET	1.1.1.1	192.168.2.5	0x1faa	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:31.200479031 CET	1.1.1.1	192.168.2.5	0x1faa	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:13:46.501530886 CET	1.1.1.1	192.168.2.5	0x583e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:13:59.972201109 CET	1.1.1.1	192.168.2.5	0x83e3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:14:00.636660099 CET	1.1.1.1	192.168.2.5	0x46c7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:14:00.636660099 CET	1.1.1.1	192.168.2.5	0x46c7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:14:11.497767925 CET	1.1.1.1	192.168.2.5	0x1473	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 00:14:27.422770977 CET	1.1.1.1	192.168.2.5	0xc9bb	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	5596	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 00:13:01.876661062 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:02.463252068 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50823 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49721	34.107.221.82	80	5596	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 00:13:03.114639044 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:03.702162027 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27818 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:03.946105957 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:04.320846081 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27819 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:06.631548882 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:06.755091906 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27821 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:06.969007969 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:07.091789007 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27822 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:07.947173119 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:08.241647005 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27823 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:08.469679117 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:08.595092058 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27823 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:09.191437960 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:09.318135977 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27824 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:16.470774889 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:16.595149994 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27831 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:26.304621935 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:26.428344965 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27841 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:30.660434008 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:30.803128958 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27845 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:31.158586025 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:31.281542063 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27846 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:31.315496922 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:31.438179016 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27846 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:31.831439018 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:31.954818010 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27846 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:41.955182076 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:13:47.286145926 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:13:47.409312010 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27862 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:13:57.421890020 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:14:00.755481005 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:14:00.880244017 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27875 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:14:01.388935089 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:14:01.511974096 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27876 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:14:11.523056030 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:14:11.616955996 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:14:11.739897013 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27886 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:14:21.752238989 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:14:28.168251991 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 00:14:28.292807102 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 27903 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 00:14:38.299653053 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:14:48.312988997 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:14:58.325356960 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49722	34.107.221.82	80	5596	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 00:13:03.153772116 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:03.747726917 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50824 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:04.037549973 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:04.321958065 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50825 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:06.648020029 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:06.790302038 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50827 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:07.628772974 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:07.754712105 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50828 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:08.340109110 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:08.466661930 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50829 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:09.054663897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:09.180515051 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50830 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:15.431675911 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:15.557404041 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50836 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:25.558155060 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:13:26.174998999 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:26.301183939 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50847 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:30.522325993 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:30.655391932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50851 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:31.029035091 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:31.155735970 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50852 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:31.187114000 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:31.313081026 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50852 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:31.703527927 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:31.828183889 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50852 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:41.839082956 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:13:47.155035019 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:13:47.283307076 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50868 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:13:57.299400091 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:14:00.626013994 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:14:00.752156019 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50881 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:14:01.259569883 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:14:01.386080027 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50882 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:14:11.391511917 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:14:11.489473104 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:14:11.613854885 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50892 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:14:21.620573044 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:14:28.034987926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 00:14:28.164525032 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 50909 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 00:14:38.168042898 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:14:48.181488991 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 00:14:58.193893909 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	19:12:54
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x6a0000
File size:	919'552 bytes
MD5 hash:	CD6AD64420E0649DD184452AC6482A48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:12:54
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x3c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:12:54
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:12:56
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x3c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:12:56
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:12:56
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x3c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:12:56
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:12:56
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x3c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:12:56
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:12:57
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x3c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:12:57
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:12:57
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:12:57
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:12:57
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	19:12:58
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e019a9e-297d-4b03-a3f4-7a05c5c32139} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e35b70d10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	19:13:00
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -parentBuildID 20230927232528 -prefsHandle 4432 -prefMapHandle 4104 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ea5418a-e122-4d93-817d-b1dda58037c9} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e4623bf10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	19:13:05
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 5036 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1df9b93-63d8-44e4-9c27-9beffae50cd4} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 17e4f23bf10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	1573
Total number of Limit Nodes:	53

Executed Functions

Function 006A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006A430D

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

GetCurrentProcess.KERNEL32(?,0073CB64,00000000,?,?), ref: 006A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 006A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006A4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 006A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006A44A0

Strings

GetNativeSystemInfo, xrefs: 006A4460
kernel32.dll, xrefs: 006A444F
|O, xrefs: 006E36F8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: e4e769239bdc333128132d07840455a46412c319d0091cbc1fbcb510493c2a78
Instruction ID: 0286a7249e77780ef1528ec5e45c527fe1781fa23d07fc625699ffe720b7dd7f
Opcode Fuzzy Hash: e4e769239bdc333128132d07840455a46412c319d0091cbc1fbcb510493c2a78
Instruction Fuzzy Hash: 82A1E37190A3D0CFCB12DB7D7C441D57FE6AB67380B84C499E08D93B62D6684985CB2D

Function 006A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006A50AA,?,?,00000000,00000000), ref: 006A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006A50AA,?,?,00000000,00000000), ref: 006A42C9
LoadResource.KERNEL32(?,00000000,?,?,006A50AA,?,?,00000000,00000000,?,?,?,?,?,?,006A4F20), ref: 006E35BE
SizeofResource.KERNEL32(?,00000000,?,?,006A50AA,?,?,00000000,00000000,?,?,?,?,?,?,006A4F20), ref: 006E35D3
LockResource.KERNEL32(006A50AA,?,?,006A50AA,?,?,00000000,00000000,?,?,?,?,?,?,006A4F20,?), ref: 006E35E6

Strings

SCRIPT, xrefs: 006A42BF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b68ee4d564867bdfb38b96839ef0101cf8b2934289cbb6a7cfbebea4d1f70c33
Instruction ID: 8a6020bec496b86d6276c9284a85906cf6092536865a589822c79bfc43482068
Opcode Fuzzy Hash: b68ee4d564867bdfb38b96839ef0101cf8b2934289cbb6a7cfbebea4d1f70c33
Instruction Fuzzy Hash: 56115E71240701BFE7229B65DC49F677BBAEFC6B52F148169F502E6250DBB1DD008B60

Function 006E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 006A2B6B

Part of subcall function 006A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00771418,?,006A2E7F,?,?,?,00000000), ref: 006A3A78

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00762224), ref: 006E2C10
ShellExecuteW.SHELL32(00000000,?,?,00762224), ref: 006E2C17

Strings

runas, xrefs: 006E2C0B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: fd344736dc9cab01bc9ce1c8d2cb63de87b3f37988a787a00f274217bfa05781
Instruction ID: 8128e3a2118f40e1595c51636fda5d95f53dac3c18227f5e1d762b1f13f3df31
Opcode Fuzzy Hash: fd344736dc9cab01bc9ce1c8d2cb63de87b3f37988a787a00f274217bfa05781
Instruction Fuzzy Hash: ED110A311083925BCB84FF24D8619BE77A79F93344F44542CF047121A3CF289D4A8F2A

Function 0070D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0070D501
Process32FirstW.KERNEL32(00000000,?), ref: 0070D50F
Process32NextW.KERNEL32(00000000,?), ref: 0070D52F
CloseHandle.KERNELBASE(00000000), ref: 0070D5DC

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c1d0a1443cf4f0397a3487048d92714160613c85016de66b8aa29edfb6111df7
Instruction ID: 17459cf83d3dfdc8c4e5939f205efd14e9039bd210cd0e38999b055c7f14d320
Opcode Fuzzy Hash: c1d0a1443cf4f0397a3487048d92714160613c85016de66b8aa29edfb6111df7
Instruction Fuzzy Hash: C631AF71008300DFD315EF94CC81AAFBBE9EF9A354F140A2DF581921A1EB759E45CBA2

Function 0070DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,006E5222), ref: 0070DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0070DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0070DBEE
FindClose.KERNEL32(00000000), ref: 0070DBFA

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 48944b12a66b0631b100a0a83a3b88d4564a549917efcda5945522e0063fb497
Instruction ID: e5d79f1d81dfda30635c50e78e9cd2be234cd7f60476515577dfb50af226df8b
Opcode Fuzzy Hash: 48944b12a66b0631b100a0a83a3b88d4564a549917efcda5945522e0063fb497
Instruction Fuzzy Hash: 41F0A7314106249BF2316BB89C0D46B3BACAE01335F108702F835D10E0EBB85D5486AA

Function 006C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006D28E9,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002,00000000,?,006D28E9), ref: 006C4D09
TerminateProcess.KERNEL32(00000000,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002,00000000,?,006D28E9), ref: 006C4D10
ExitProcess.KERNEL32 ref: 006C4D22

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b4c59affcc6aea63764ef6c43d89e639ddf5b164e1c03de4d4f490dd340bfd2d
Instruction ID: fac4cfefb995b5db96842d5655a92f12fd2bffe5817c434e8b2ccf7f6a35c7e3
Opcode Fuzzy Hash: b4c59affcc6aea63764ef6c43d89e639ddf5b164e1c03de4d4f490dd340bfd2d
Instruction Fuzzy Hash: 49E0BF31400148ABDF12BF54DD19F983B6AEF41752B108418FC059A222CB39ED51DB45

Function 006ABF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#w, xrefs: 006F07CE

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#w
API String ID: 3964851224-3682083516
Opcode ID: fd9817e129abb2113ee03b3338bb8619f803f13b22fd3f4272781872580e2431
Instruction ID: 35e093dc2a3ef4a6d695ecae8bf61d86c93b400caf257f7c87d86ea990e0cdf4
Opcode Fuzzy Hash: fd9817e129abb2113ee03b3338bb8619f803f13b22fd3f4272781872580e2431
Instruction Fuzzy Hash: D4A249706083019FD754EF18C480B6ABBE2BF8A314F14896DE99A8B352D775EC45CF92

Function 0072AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0072B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0072B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0072B1D4
_wcslen.LIBCMT ref: 0072B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0072B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0072B236
_wcslen.LIBCMT ref: 0072B332

Part of subcall function 007105A7: GetStdHandle.KERNEL32(000000F6), ref: 007105C6

_wcslen.LIBCMT ref: 0072B34B
_wcslen.LIBCMT ref: 0072B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0072B3B6
GetLastError.KERNEL32(00000000), ref: 0072B407
CloseHandle.KERNEL32(?), ref: 0072B439
CloseHandle.KERNEL32(00000000), ref: 0072B44A
CloseHandle.KERNEL32(00000000), ref: 0072B45C
CloseHandle.KERNEL32(00000000), ref: 0072B46E
CloseHandle.KERNEL32(?), ref: 0072B4E3

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e09861afd7a56766a16f4874a87cc5f28acaf90fbdd03803f684fbe7a71b41d5
Instruction ID: 3be2db056e89eed85462b5b07c4df285fcc9a39665d66e3994962329bdf7d7ad
Opcode Fuzzy Hash: e09861afd7a56766a16f4874a87cc5f28acaf90fbdd03803f684fbe7a71b41d5
Instruction Fuzzy Hash: E5F1AB31604350DFC765EF24D891B6EBBE2AF85310F18855DF8999B2A2CB35EC40CB96

Function 006AD730 Relevance: 21.6, APIs: 14, Instructions: 629windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006AD807
timeGetTime.WINMM ref: 006ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006ADB28
TranslateMessage.USER32(?), ref: 006ADB7B
DispatchMessageW.USER32(?), ref: 006ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006ADB9F
Sleep.KERNELBASE(0000000A), ref: 006ADBB1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 2469752e574ac076b19bb1790a683fb1dff6a2b3e0488f8ef4a0b7326511e022
Instruction ID: 2a45d2118c6711c87c55a15b3a1b8d0a641850b4ca1e8b7692805f09523def40
Opcode Fuzzy Hash: 2469752e574ac076b19bb1790a683fb1dff6a2b3e0488f8ef4a0b7326511e022
Instruction Fuzzy Hash: F3420070208206DFE728EB24C854BBAB7E2BF46304F14851DE5668B7A1C774EC85CF92

Function 006A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006A2D07
RegisterClassExW.USER32(00000030), ref: 006A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006A2D42
InitCommonControlsEx.COMCTL32(?), ref: 006A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006A2D6F
LoadIconW.USER32(000000A9), ref: 006A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006A2D94

Strings

+, xrefs: 006A2CF0
TaskbarCreated, xrefs: 006A2D37
AutoIt v3 GUI, xrefs: 006A2D23
0, xrefs: 006A2CE9

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5404b81c200fb610805079327358df7b790f2f9c34ec256ab62939501c4a8d0c
Instruction ID: 3adfbd928a02a58ac3d66baf190147555b57b50fe3e811ac828073168a4e7dc6
Opcode Fuzzy Hash: 5404b81c200fb610805079327358df7b790f2f9c34ec256ab62939501c4a8d0c
Instruction Fuzzy Hash: 2221FCB5911348AFEB01DF98EC49BDDBBB4FB08741F00811AF615B6290D7B95540CF98

Function 006E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E039A: CreateFileW.KERNELBASE(00000000,00000000,?,006E0704,?,?,00000000,?,006E0704,00000000,0000000C), ref: 006E03B7

GetLastError.KERNEL32 ref: 006E076F
__dosmaperr.LIBCMT ref: 006E0776
GetFileType.KERNELBASE(00000000), ref: 006E0782
GetLastError.KERNEL32 ref: 006E078C
__dosmaperr.LIBCMT ref: 006E0795
CloseHandle.KERNEL32(00000000), ref: 006E07B5
CloseHandle.KERNEL32(?), ref: 006E08FF
GetLastError.KERNEL32 ref: 006E0931
__dosmaperr.LIBCMT ref: 006E0938

Strings

H, xrefs: 006E08BD

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8837c25d59726e8245547b561a3f59a685e5ba80047818bf2675432e3d0191be
Instruction ID: cff1588d4b9a200b82300903f62f55f56ea9022393b02b96f0c34831e7fe342b
Opcode Fuzzy Hash: 8837c25d59726e8245547b561a3f59a685e5ba80047818bf2675432e3d0191be
Instruction Fuzzy Hash: 03A13632A002848FEF19AF68D851BAE3BA2EB06320F14415DF815AB3D1D7759D93CB95

Function 006A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00771418,?,006A2E7F,?,?,?,00000000), ref: 006A3A78

Part of subcall function 006A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006A3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006E31CE
RegCloseKey.ADVAPI32(?), ref: 006E3210
_wcslen.LIBCMT ref: 006E3277
_wcslen.LIBCMT ref: 006E3286

Strings

Include, xrefs: 006E3184, 006E31C5
\, xrefs: 006E328C
Software\AutoIt v3\AutoIt, xrefs: 006A3560
\Include\, xrefs: 006A3527

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 7dfd7bf07f18b1758d1817030c3c56e7a2a512d5212180c6ace23ddaafc46d64
Instruction ID: 9901249b3358700decabd5d596b975ad354bac3ccb152ad9009dc86dfd31dfad
Opcode Fuzzy Hash: 7dfd7bf07f18b1758d1817030c3c56e7a2a512d5212180c6ace23ddaafc46d64
Instruction Fuzzy Hash: 6F71D6714053109EC344EF25DC419ABB7F9FF85380F40842EF199972A2DB389A89CF69

Function 006A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 006A2B9D
LoadIconW.USER32(00000063), ref: 006A2BB3
LoadIconW.USER32(000000A4), ref: 006A2BC5
LoadIconW.USER32(000000A2), ref: 006A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006A2BEF
RegisterClassExW.USER32(?), ref: 006A2C40

Part of subcall function 006A2CD4: GetSysColorBrush.USER32(0000000F), ref: 006A2D07
Part of subcall function 006A2CD4: RegisterClassExW.USER32(00000030), ref: 006A2D31
Part of subcall function 006A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006A2D42
Part of subcall function 006A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006A2D5F
Part of subcall function 006A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006A2D6F
Part of subcall function 006A2CD4: LoadIconW.USER32(000000A9), ref: 006A2D85
Part of subcall function 006A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006A2D94

Strings

AutoIt v3, xrefs: 006A2C2F
0, xrefs: 006A2C0F
#, xrefs: 006A2C16

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 8a965fdbb1f148ca685559a4dd697c5323c4ee4739c7a8339a387adaf2777f11
Instruction ID: 8ba7275416eb54a887b87f87cb720034fed051115832802e736bdaeb63af6f5b
Opcode Fuzzy Hash: 8a965fdbb1f148ca685559a4dd697c5323c4ee4739c7a8339a387adaf2777f11
Instruction Fuzzy Hash: C1214C71E00314ABEB119FA9EC55B997FB4FB08B90F40C01AF508A66A0D3B90984CF98

Function 006A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006A316A,?,?), ref: 006A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,006A316A,?,?), ref: 006A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006A316A,?,?), ref: 006A3232
CreatePopupMenu.USER32 ref: 006A3246
PostQuitMessage.USER32(00000000), ref: 006A3267

Strings

TaskbarCreated, xrefs: 006A322D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7a8b75728414bc34688052207d782b07c76f538381c934f041163e8fce0d2b4c
Instruction ID: a8e8d26ab2283f7065e72dd2f01f83b1d1ec79a3575d8864015090e58de77b82
Opcode Fuzzy Hash: 7a8b75728414bc34688052207d782b07c76f538381c934f041163e8fce0d2b4c
Instruction Fuzzy Hash: 41413A31240264ABEB153B7C9C1EBB9365FEB47380F448125FA0696391C7699F428FA9

Function 006A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006A1459
CoUninitialize.COMBASE ref: 006A14F8
UnregisterHotKey.USER32(?), ref: 006A16DD
DestroyWindow.USER32(?), ref: 006E24B9
FreeLibrary.KERNEL32(?), ref: 006E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006E254B

Strings

close all, xrefs: 006A1454

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2d41e5262700702135b2b3b575eaa3321b802ed2a27b9f2d480a67a71ce1ca2d
Instruction ID: 0fcc1a91ba823b494cf5f5161e218398c3f9b054f3a7a19969b702c6af3bbf1b
Opcode Fuzzy Hash: 2d41e5262700702135b2b3b575eaa3321b802ed2a27b9f2d480a67a71ce1ca2d
Instruction Fuzzy Hash: 05D18E71702222CFDB19EF15C9A9A69F7A7BF06700F1442ADE44AAB251CB30ED52CF54

Function 006A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,006A1CAD,?), ref: 006A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,006A1CAD,?), ref: 006A2CCF

Strings

edit, xrefs: 006A2CAC
AutoIt v3, xrefs: 006A2C89, 006A2C8E, 006A2C8F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7d00eee0509e142176854120279c4be3ea08b07f1592a5916968099c553644d7
Instruction ID: 3669ee9fb0b0016539ebfa53d798443d640edb681a386b90643bb3a8f0e52219
Opcode Fuzzy Hash: 7d00eee0509e142176854120279c4be3ea08b07f1592a5916968099c553644d7
Instruction Fuzzy Hash: 0CF0DA756503947AEB31172BAC09E773EBDD7C6F90F41806AF908A25A0C6691890DBB8

Function 006A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006A3B0F,SwapMouseButtons,00000004,?), ref: 006A3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006A3B0F,SwapMouseButtons,00000004,?), ref: 006A3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006A3B0F,SwapMouseButtons,00000004,?), ref: 006A3B83

Strings

Control Panel\Mouse, xrefs: 006A3B3E

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 920c484920e910c027885b18d45bcea7972e6b0605e33e78b2edc87b0fb38aef
Instruction ID: c278095823588984c3545b34803c642b5e185ef8933137e974e1e6d8679d82fb
Opcode Fuzzy Hash: 920c484920e910c027885b18d45bcea7972e6b0605e33e78b2edc87b0fb38aef
Instruction Fuzzy Hash: 6B115AB5510218FFDB219FA4DC84AEEB7BAEF21740B108459B801E7210E3319E409B64

Function 006A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006E33A2

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 006A3A04

Strings

Line: , xrefs: 006E33EB

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: e23e8e0835f42d571231cbd8bbff9a03cb9e3f6c2c8b8f672983a965e9f7df88
Instruction ID: 9d85bd5a73601396813d2215ffab5430875e83b900dd91c9d49abf55c89b9706
Opcode Fuzzy Hash: e23e8e0835f42d571231cbd8bbff9a03cb9e3f6c2c8b8f672983a965e9f7df88
Instruction Fuzzy Hash: 7D310471408360AEC761FB24DC46FEBB7D9AB41350F00452EF59983291EB749A49CBDA

Function 006A2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 006E2C8C

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

Part of subcall function 006A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006A2DC4

Strings

X, xrefs: 006E2C5A
`ev, xrefs: 006E2C85

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ev
API String ID: 779396738-137022389
Opcode ID: d32de77a6666c188ebe091fc969d945170d9f81737e6985bc958103aa5a33940
Instruction ID: 412f0e8ff1651df7d22665722c799b177f948582de0ee5dd77cd4f4f91568baf
Opcode Fuzzy Hash: d32de77a6666c188ebe091fc969d945170d9f81737e6985bc958103aa5a33940
Instruction Fuzzy Hash: 8321C671A002989BDB41EF98C805BEE7BFEAF49304F00805DE505B7241DFB85A898FA5

Function 006A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006A1BF4
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006A1BFC
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006A1C07
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006A1C12
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006A1C1A
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006A1C22

Part of subcall function 006A1B4A: RegisterWindowMessageW.USER32(00000004,?,006A12C4), ref: 006A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006A136A
OleInitialize.OLE32 ref: 006A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 006E24AB

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 5d263ec51ce57267f8e468a34603bac6232ec4f0775c27bec9d945ea21f6aef1
Instruction ID: ec5668439cf32dee72379ae872fbad6b6886944502d5e21ddaab597258f90f35
Opcode Fuzzy Hash: 5d263ec51ce57267f8e468a34603bac6232ec4f0775c27bec9d945ea21f6aef1
Instruction Fuzzy Hash: A4719BB49112408EC788EF7DA8566553AE5AB8A3D47D5C22E900EDB261EB3C48A0CF5D

Function 0070C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006A3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0070C259
KillTimer.USER32(?,00000001,?,?), ref: 0070C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0070C270

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 165217069e2ad9e341b1a2b201f97ae1c0b04334590ca005c809556e14da6336
Instruction ID: 0f544f9c7541cf212c79fe0841060137fa858a9cfc5c12b6c26a5fb1e6f0db6e
Opcode Fuzzy Hash: 165217069e2ad9e341b1a2b201f97ae1c0b04334590ca005c809556e14da6336
Instruction Fuzzy Hash: 0031C570904344AFEB239F648855BEBBBECAF06308F00459DE6DEA3281C7785A84CB55

Function 006D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006D85CC,?,00768CC8,0000000C), ref: 006D8704
GetLastError.KERNEL32(?,006D85CC,?,00768CC8,0000000C), ref: 006D870E
__dosmaperr.LIBCMT ref: 006D8739

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: fc00fb261cb1937d8b8ea235d65455c3d8451f664250e25a08165bc29a5d8bb6
Instruction ID: 9fb5be4e376d257a5452d5b180af9014eb94e4a302a2f5a8be2c0903bcf72448
Opcode Fuzzy Hash: fc00fb261cb1937d8b8ea235d65455c3d8451f664250e25a08165bc29a5d8bb6
Instruction Fuzzy Hash: 58018232E041B02ED6656734584DBBE2B478B81774F36011FF8059B3D3DE64CC818294

Function 006ADB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 006ADB7B
DispatchMessageW.USER32(?), ref: 006ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006ADB9F
Sleep.KERNELBASE(0000000A), ref: 006ADBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 006F1CC9

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 7dfdfbd04b42248ac383d45ead6892dc1b844c438e9a4dafa60d61d3faeb9399
Instruction ID: 6e77503be2e22aeabdbcad1e91388eb894e52b431e2f6c42a1d0c8b2263744d3
Opcode Fuzzy Hash: 7dfdfbd04b42248ac383d45ead6892dc1b844c438e9a4dafa60d61d3faeb9399
Instruction Fuzzy Hash: 97F05E706043449BEB30DB608C49FEA73AAEF46351F508518E65A971C0DB3894888F2A

Function 006B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006B17F6

Strings

CALL, xrefs: 006B17C6

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 6b8cadc4136d4bd736de67e85497aa4dca10739600fa19b06a5bc1627f0c1549
Instruction ID: b4f7e80ea84b8635843233bf0c195c7d7590c476f1b666ef219c0f04b5ff9fbc
Opcode Fuzzy Hash: 6b8cadc4136d4bd736de67e85497aa4dca10739600fa19b06a5bc1627f0c1549
Instruction Fuzzy Hash: F922AEB1608201EFC714DF14C490AAABBF2BF86314F64896DF5968B362D735ED81CB52

Function 006A3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 006A3908

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3545e561edf76fc4b578e556a13a47db22f9a9dba64f11e4fb63f0bcc06ccb11
Instruction ID: b3f74c244dc8b6efca75f8f19c769d79b9c618a699b7b4ba5f2d7ea639fc12f3
Opcode Fuzzy Hash: 3545e561edf76fc4b578e556a13a47db22f9a9dba64f11e4fb63f0bcc06ccb11
Instruction Fuzzy Hash: DF31A070504311DFD361EF24D885797BBE9FB4A748F00492EF59983380E779AA44CB56

Function 006BF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006BF661

Part of subcall function 006AD730: GetInputState.USER32 ref: 006AD807

Sleep.KERNEL32(00000000), ref: 006FF2DE

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 3e56f04d5d68fcb4e5439a4438025d6170bc3910f05781e4e49e87ffe772f72c
Instruction ID: abb47327a3164cf7616fed378ee1904bbd613eb7f557beecee661ce052011f46
Opcode Fuzzy Hash: 3e56f04d5d68fcb4e5439a4438025d6170bc3910f05781e4e49e87ffe772f72c
Instruction Fuzzy Hash: B0F082712402059FD354FF69D855B6AB7E6EF46761F004029E859D7262DB70AC00CF94

Function 006A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E9C
Part of subcall function 006A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006A4EAE
Part of subcall function 006A4E90: FreeLibrary.KERNEL32(00000000,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EFD

Part of subcall function 006A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E62
Part of subcall function 006A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006A4E74
Part of subcall function 006A4E59: FreeLibrary.KERNEL32(00000000,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E87

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 425333b5cf21251f4ee45b3b751b703534c6cab0cac285063c58233b4b043b7f
Instruction ID: 770126a5aca4ad0f28f0243ca1181502ea7425c814dbfeee7e9169ae5294cbd6
Opcode Fuzzy Hash: 425333b5cf21251f4ee45b3b751b703534c6cab0cac285063c58233b4b043b7f
Instruction Fuzzy Hash: E1110432600305AADB10FB60DC06FADB7A6AFC1B10F20842DF452A61C2DEB5AE059B59

Function 006D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 006D8440

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7cef15def9c8cb45dfc325f41eb7adcbf1b365d5c43efedf99b20af142fe8a22
Instruction ID: ec573ec7964a4d28643ae53bb98ae23aadb3ca21970d7c3cb992a55f731d61af
Opcode Fuzzy Hash: 7cef15def9c8cb45dfc325f41eb7adcbf1b365d5c43efedf99b20af142fe8a22
Instruction Fuzzy Hash: B111187590420AAFCB15DF58E945ADA7BF5EF48314F10405AF808AB312DB31EA11CBA5

Function 006D5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D4C7D: RtlAllocateHeap.NTDLL(00000008,006A1129,00000000,?,006D2E29,00000001,00000364,?,?,?,006CF2DE,006D3863,00771444,?,006BFDF5,?), ref: 006D4CBE

_free.LIBCMT ref: 006D506C

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: d064a847bdcd093c822a356b48993d969f7fe74715ef1677f329294ad095dda0
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BE014972A047056BE3318F65D881A9AFBEEFB89370F25051EE185873C0EA30A805C7B4

Function 006CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1d0d6e5e8bf338cdf70b00f315255dad2e9e58213d69855a4b61723bab1175b8
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 9DF0D632921A109AC6312A768C05FBA33AFDF62331F10072EF421933D2DA75980286A9

Function 006D4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,006A1129,00000000,?,006D2E29,00000001,00000364,?,?,?,006CF2DE,006D3863,00771444,?,006BFDF5,?), ref: 006D4CBE

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c25775edaf203909fa7015e0b77035ae37f2ae83a072a7b86b96fe21019a6ff1
Instruction ID: d72b99f75fd98d98c498d12f03102a573e645eb0e5350b3b5b12794dc95e4c68
Opcode Fuzzy Hash: c25775edaf203909fa7015e0b77035ae37f2ae83a072a7b86b96fe21019a6ff1
Instruction Fuzzy Hash: E6F0E931E2222467DB215F629C05FAA378BFF917A1B15811BF819AA380CF70DC0196E4

Function 006D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e68f40b971dde04fc92a82441575004f69d55a666c8ec0364dee2609043c6258
Instruction ID: ec27d3495b65ffcf2232f122da6d9cad17e136ed14cc602f2deaf159d3f6862c
Opcode Fuzzy Hash: e68f40b971dde04fc92a82441575004f69d55a666c8ec0364dee2609043c6258
Instruction Fuzzy Hash: E5E0E53190023456E62166669C01FEA374BEF427B0F09002ABC1596780CB50DE01A3E6

Function 006A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4F6D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 92a5fa2a02ed9d4f66ddbcf5e7116bcb279b3cb505970d358011b25a4f8311f9
Instruction ID: 23785070fd4eb80991404af2bf6d8b2052d3a0d4fc7655819fd86023c5acd475
Opcode Fuzzy Hash: 92a5fa2a02ed9d4f66ddbcf5e7116bcb279b3cb505970d358011b25a4f8311f9
Instruction Fuzzy Hash: 24F0A071005341CFDB34AF20D890862B7F2EF81319320D97EE1DA82610CBB19C44DF00

Function 00732A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00732A66

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 7e06a587c7d1b5d444101a848ca6082580bc1586150f725ee73f24808859c67a
Instruction ID: 753f05bf3d1c02ac5e05a92f3b17c2fe433e3b5eb5a45f1a98b56c13895583fe
Opcode Fuzzy Hash: 7e06a587c7d1b5d444101a848ca6082580bc1586150f725ee73f24808859c67a
Instruction Fuzzy Hash: 86E0DF7235011AEBE710EB30EC848FA739CEF10395B108236ED1AC2142DB389A9686A0

Function 006A30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 006A314E

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4eab20e1233d0d28d67de247434b06c8c27be3c552fd7f8ecf182f4f50f503c1
Instruction ID: 39ea5d1cb5c88c456d6046b7010862aaef857f450651c3242cd7e460d4b2a68f
Opcode Fuzzy Hash: 4eab20e1233d0d28d67de247434b06c8c27be3c552fd7f8ecf182f4f50f503c1
Instruction Fuzzy Hash: 92F037709143549FE7529B24DC4A7D57BBCA70170CF0040E9A54C96296DB785BC8CF55

Function 006A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006A2DC4

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 56aaf19ecebb32f8751130aa43690b07b1018b7157e035fef66fed60bb077aeb
Instruction ID: 67de308d84036b99c53d773c00f1a3774f1846835a166cec7bfd160ebc1258c0
Opcode Fuzzy Hash: 56aaf19ecebb32f8751130aa43690b07b1018b7157e035fef66fed60bb077aeb
Instruction Fuzzy Hash: D0E0CD726002245BD711A258DC05FDA77DDDFC9790F044075FD09E7248D974AD808695

Function 006A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006A3908

Part of subcall function 006AD730: GetInputState.USER32 ref: 006AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 006A2B6B

Part of subcall function 006A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006A314E

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4a9ad7e83619b10f7cabbda2d0b95d56a4c7b791a1ad9518811edc2b0f235649
Instruction ID: 07d43bf1e85195aee31e7afdf4676796eaef88355f9e45519552f3848f1a9344
Opcode Fuzzy Hash: 4a9ad7e83619b10f7cabbda2d0b95d56a4c7b791a1ad9518811edc2b0f235649
Instruction Fuzzy Hash: DBE0863230425407CA48BB78A8565BDA75B9FD3395F40553EF14753262CE288D454B6A

Function 006E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,006E0704,?,?,00000000,?,006E0704,00000000,0000000C), ref: 006E03B7

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d0ee2859e23a648ec96d3df0f0b8163c23c0faa604f6abd171b2ab022f9346db
Instruction ID: 2771f3e321c2b8561938b030d69f9973a38b4610a9d1e01f1153fe57bd52778b
Opcode Fuzzy Hash: d0ee2859e23a648ec96d3df0f0b8163c23c0faa604f6abd171b2ab022f9346db
Instruction Fuzzy Hash: 42D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1866020C736E821AB94

Function 006A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006A1CBC

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 72c37776629c2f39b25da377afcb68094ce82c6a0db19cb7bdda5f9a17a49553
Instruction ID: 01da4a31d88516dff99daa7aa6a8cbe96f4b3a395e759738e21b42d05a4076f8
Opcode Fuzzy Hash: 72c37776629c2f39b25da377afcb68094ce82c6a0db19cb7bdda5f9a17a49553
Instruction Fuzzy Hash: C1C09B36380304DFF2154794BC5AF107754A348B41F54C001F64D655E3C3A51470D758

Non-executed Functions

Function 00739576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0073961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0073965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0073969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007396C9
SendMessageW.USER32 ref: 007396F2
GetKeyState.USER32(00000011), ref: 0073978B
GetKeyState.USER32(00000009), ref: 00739798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007397AE
GetKeyState.USER32(00000010), ref: 007397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007397E9
SendMessageW.USER32 ref: 00739810
SendMessageW.USER32(?,00001030,?,00737E95), ref: 00739918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0073992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00739941
SetCapture.USER32(?), ref: 0073994A
ClientToScreen.USER32(?,?), ref: 007399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007399D6
ReleaseCapture.USER32 ref: 007399E1
GetCursorPos.USER32(?), ref: 00739A19
ScreenToClient.USER32(?,?), ref: 00739A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00739A80
SendMessageW.USER32 ref: 00739AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00739AEB
SendMessageW.USER32 ref: 00739B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00739B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00739B4A
GetCursorPos.USER32(?), ref: 00739B68
ScreenToClient.USER32(?,?), ref: 00739B75
GetParent.USER32(?), ref: 00739B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00739BFA
SendMessageW.USER32 ref: 00739C2B
ClientToScreen.USER32(?,?), ref: 00739C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00739CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00739CDE
SendMessageW.USER32 ref: 00739D01
ClientToScreen.USER32(?,?), ref: 00739D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00739D82

Part of subcall function 006B9944: GetWindowLongW.USER32(?,000000EB), ref: 006B9952

GetWindowLongW.USER32(?,000000F0), ref: 00739E05

Strings

p#w, xrefs: 00739990
F, xrefs: 00739D07
@GUI_DRAGID, xrefs: 0073997D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#w
API String ID: 3429851547-627597586
Opcode ID: bed654f3ef5d19c0c6aadf4a4b7b3870e4c0278d0706a50ff7625afa3a5919d3
Instruction ID: e037ac88f4ecdd623e1b57b4e700fbf5271b26765d091b7dff10d6fb3e612bbd
Opcode Fuzzy Hash: bed654f3ef5d19c0c6aadf4a4b7b3870e4c0278d0706a50ff7625afa3a5919d3
Instruction Fuzzy Hash: E042CB31205240EFEB21CF28CC45AAABBE5FF49310F10465DF699972A2D7B9E860CF55

Function 00734873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00734908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00734927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0073494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0073495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0073497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00734A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00734A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00734A7E
IsMenu.USER32(?), ref: 00734A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00734AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00734B20
GetWindowLongW.USER32(?,000000F0), ref: 00734B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00734BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00734C82
wsprintfW.USER32 ref: 00734CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00734CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00734CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00734D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00734D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00734D5A

Strings

%d/%02d/%02d, xrefs: 00734CA8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 64a617ff885bd0204ee6ec0ae0ea2c0a91d27418b13506d69b328087e993493e
Instruction ID: 387dab52879ec4c59fbbbcd9a1c547570e87c905e97c2ebe86ddf07549d56613
Opcode Fuzzy Hash: 64a617ff885bd0204ee6ec0ae0ea2c0a91d27418b13506d69b328087e993493e
Instruction Fuzzy Hash: 19120071600214ABFB298F24CC4AFAE7BF8FF45310F148169F515EA2E2DB78A941CB50

Function 006BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 006BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006FF474
IsIconic.USER32(00000000), ref: 006FF47D
ShowWindow.USER32(00000000,00000009), ref: 006FF48A
SetForegroundWindow.USER32(00000000), ref: 006FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006FF4AA
GetCurrentThreadId.KERNEL32 ref: 006FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 006FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 006FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 006FF4DE
SetForegroundWindow.USER32(00000000), ref: 006FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF4F6
keybd_event.USER32(00000012,00000000), ref: 006FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF50B
keybd_event.USER32(00000012,00000000), ref: 006FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF519
keybd_event.USER32(00000012,00000000), ref: 006FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF528
keybd_event.USER32(00000012,00000000), ref: 006FF52D
SetForegroundWindow.USER32(00000000), ref: 006FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 006FF557

Strings

Shell_TrayWnd, xrefs: 006FF46F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f9f0bcc1a787bf6a16a9617c8a1b013c40baa7d5b5cf2c94595593cf22a69d1c
Instruction ID: 18be2871d634e2bf4d2ee341ca350bb135bad633a29df26ee0adfcb6a9fc2925
Opcode Fuzzy Hash: f9f0bcc1a787bf6a16a9617c8a1b013c40baa7d5b5cf2c94595593cf22a69d1c
Instruction Fuzzy Hash: 11316D71A4021CBAFB216BB54C4AFBF7E6DEB44B51F104066FA00F61D1C6B49910ABA4

Function 00701201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0070170D
Part of subcall function 007016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0070173A
Part of subcall function 007016C3: GetLastError.KERNEL32 ref: 0070174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00701286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007012A8
CloseHandle.KERNEL32(?), ref: 007012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007012D1
GetProcessWindowStation.USER32 ref: 007012EA
SetProcessWindowStation.USER32(00000000), ref: 007012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00701310

Part of subcall function 007010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007011FC), ref: 007010D4
Part of subcall function 007010BF: CloseHandle.KERNEL32(?,?,007011FC), ref: 007010E9

Strings

Zv, xrefs: 00701392
, xrefs: 0070125A
default, xrefs: 0070130B
winsta0, xrefs: 007012CC

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zv
API String ID: 22674027-1252836245
Opcode ID: f6e4ae1eb9b1c50a4c3956703b0deda51212eff1b643eed7dee86e4d25de1ce6
Instruction ID: 4a38109253b7e6f0f615feb457c53a2c5f72bb6373dd70a84ebf70f2a1926836
Opcode Fuzzy Hash: f6e4ae1eb9b1c50a4c3956703b0deda51212eff1b643eed7dee86e4d25de1ce6
Instruction Fuzzy Hash: 9B8189B1900249EBEF219FA4DC49FEE7BB9EF04704F148229F911B61A0C7798954CB65

Function 00700B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00701114
Part of subcall function 007010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701120
Part of subcall function 007010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 0070112F
Part of subcall function 007010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701136
Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0070114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00700BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00700C00
GetLengthSid.ADVAPI32(?), ref: 00700C17
GetAce.ADVAPI32(?,00000000,?), ref: 00700C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00700C6D
GetLengthSid.ADVAPI32(?), ref: 00700C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00700C8C
HeapAlloc.KERNEL32(00000000), ref: 00700C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00700CB4
CopySid.ADVAPI32(00000000), ref: 00700CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00700CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00700D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00700D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700D45
HeapFree.KERNEL32(00000000), ref: 00700D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700D55
HeapFree.KERNEL32(00000000), ref: 00700D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700D65
HeapFree.KERNEL32(00000000), ref: 00700D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00700D78
HeapFree.KERNEL32(00000000), ref: 00700D7F

Part of subcall function 00701193: GetProcessHeap.KERNEL32(00000008,00700BB1,?,00000000,?,00700BB1,?), ref: 007011A1
Part of subcall function 00701193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00700BB1,?), ref: 007011A8
Part of subcall function 00701193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00700BB1,?), ref: 007011B7

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 22e562c38cec16a24241ffb9f8fb84e55b192612fb147cc08f07782e32a8e4ec
Instruction ID: d1373ac5102d4c9dd3439ea438bdd97c47f49009cccee20cd43ff874edf833cb
Opcode Fuzzy Hash: 22e562c38cec16a24241ffb9f8fb84e55b192612fb147cc08f07782e32a8e4ec
Instruction Fuzzy Hash: A1715C76A0020AEBEF11DFA4DC45FEEBBB9BF04311F048615E914B6191D779A905CBB0

Function 0071EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0073CC08), ref: 0071EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0071EB37
GetClipboardData.USER32(0000000D), ref: 0071EB43
CloseClipboard.USER32 ref: 0071EB4F
GlobalLock.KERNEL32(00000000), ref: 0071EB87
CloseClipboard.USER32 ref: 0071EB91
GlobalUnlock.KERNEL32(00000000), ref: 0071EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0071EBC9
GetClipboardData.USER32(00000001), ref: 0071EBD1
GlobalLock.KERNEL32(00000000), ref: 0071EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0071EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0071EC38
GetClipboardData.USER32(0000000F), ref: 0071EC44
GlobalLock.KERNEL32(00000000), ref: 0071EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0071EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0071EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0071ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0071ECF3
CountClipboardFormats.USER32 ref: 0071ED14
CloseClipboard.USER32 ref: 0071ED59

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 403d2a0aa0ba691c5a72581165de6ca9cde2da97bd9c05bfdf3c77bf9893dc7c
Instruction ID: ee406d6f0062ce37e0a4da5499de81d61d20c239bdff5cddb82ac2e160dbb7b2
Opcode Fuzzy Hash: 403d2a0aa0ba691c5a72581165de6ca9cde2da97bd9c05bfdf3c77bf9893dc7c
Instruction Fuzzy Hash: 0261F4752042019FE311EF28D889F6A77E4AF85704F18851DF846972E2CB39DD85CB66

Function 0071698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007169BE
FindClose.KERNEL32(00000000), ref: 00716A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00716A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00716A75

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00716AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00716ADF

Strings

%4d, xrefs: 00716BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00716B32
%4d%02d%02d%02d%02d%02d, xrefs: 00716B6A
%02d, xrefs: 00716C00, 00716C0A, 00716C5A, 00716CAA, 00716CFA, 00716D4A
%03d, xrefs: 00716DA2

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: bbcf526e2609013a0123f1fd663d98d64b3365d9c3edb8becebefe6ba5e729a1
Instruction ID: 6628910c339f205b17eb2d467654188cf52322b6679eccc53ab9395940c83676
Opcode Fuzzy Hash: bbcf526e2609013a0123f1fd663d98d64b3365d9c3edb8becebefe6ba5e729a1
Instruction Fuzzy Hash: 56D15EB2508300AEC354EBA4CC81EABB7EDBF89704F44491DF585D6191EB38DE48CB66

Function 00719642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00719663
GetFileAttributesW.KERNEL32(?), ref: 007196A1
SetFileAttributesW.KERNEL32(?,?), ref: 007196BB
FindNextFileW.KERNEL32(00000000,?), ref: 007196D3
FindClose.KERNEL32(00000000), ref: 007196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0071974A
SetCurrentDirectoryW.KERNEL32(00766B7C), ref: 00719768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00719772
FindClose.KERNEL32(00000000), ref: 0071977F
FindClose.KERNEL32(00000000), ref: 0071978F

Strings

*.*, xrefs: 007196F5

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 91b5cd6d218f9d0d18ca9fd1343d7b6f0e6746669f4b503f64bdbd0c0f10cd38
Instruction ID: 3ce0f25f6a1569c6b1784ff24519d938b833c04512a62d50cdc403c9ec6d8a5a
Opcode Fuzzy Hash: 91b5cd6d218f9d0d18ca9fd1343d7b6f0e6746669f4b503f64bdbd0c0f10cd38
Instruction Fuzzy Hash: 8E31D5725012196AEF15AFB8DC19EDE77ACAF09321F108155F905E30D0DB3CDE818B24

Function 0071979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00719819
FindClose.KERNEL32(00000000), ref: 00719824
FindFirstFileW.KERNEL32(*.*,?), ref: 00719840
SetCurrentDirectoryW.KERNEL32(?), ref: 00719890
SetCurrentDirectoryW.KERNEL32(00766B7C), ref: 007198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007198B8
FindClose.KERNEL32(00000000), ref: 007198C5
FindClose.KERNEL32(00000000), ref: 007198D5

Part of subcall function 0070DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0070DB00

Strings

*.*, xrefs: 0071983B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9ff0a39c8b4446fc6d0cced040b17c557883a25af446ab0c033bcb77c8d79e41
Instruction ID: fdd8dd5c6f38a39edd9026843a6a02e5afa8968be3dc809157535169d2addeb8
Opcode Fuzzy Hash: 9ff0a39c8b4446fc6d0cced040b17c557883a25af446ab0c033bcb77c8d79e41
Instruction Fuzzy Hash: 2431C572500219AEEF11AFB8DC58ADE77ACEF06321F108155E915A30D0DB38DEC6CB24

Function 0072BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0072C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072C9F1
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA68
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0072BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0072BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0072C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0072C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0072C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0072C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0072C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0072C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0072C382
RegCloseKey.ADVAPI32(00000000), ref: 0072C38F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: da47269ab20f98dc547513df7171629655fb3e02e800af15c4abfcaea6894809
Instruction ID: 8708bdd0c680111e438e4983d0f476d82fc2c285bf74f23930c223cd81688a2b
Opcode Fuzzy Hash: da47269ab20f98dc547513df7171629655fb3e02e800af15c4abfcaea6894809
Instruction Fuzzy Hash: 76027E706042109FD715DF24D891E2ABBE5EF89304F18C89DF84ADB2A2DB35ED45CB52

Function 00718195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00718257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00718267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00718273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00718310
SetCurrentDirectoryW.KERNEL32(?), ref: 00718324
SetCurrentDirectoryW.KERNEL32(?), ref: 00718356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0071838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00718395

Strings

*.*, xrefs: 0071839B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 48452b16928ef603588618d09cca59f2c2779492830f2bac37c443cacdf16ff5
Instruction ID: ee5a00459475c0016f33f05d97cb47686beae59588e32ce1db2c221b064d05e6
Opcode Fuzzy Hash: 48452b16928ef603588618d09cca59f2c2779492830f2bac37c443cacdf16ff5
Instruction Fuzzy Hash: 166199B25043059FCB50EF24C8409AEB3E9FF89310F04891EF99983291EB39E945CF96

Function 0070D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

Part of subcall function 0070E199: GetFileAttributesW.KERNEL32(?,0070CF95), ref: 0070E19A

FindFirstFileW.KERNEL32(?,?), ref: 0070D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0070D1DD
MoveFileW.KERNEL32(?,?), ref: 0070D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0070D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0070D237

Part of subcall function 0070D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0070D21C,?,?), ref: 0070D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0070D253
FindClose.KERNEL32(00000000), ref: 0070D264

Strings

\*.*, xrefs: 0070D0CD, 0070D0D6, 0070D0EB

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 1a62253bbe9ec6e800ad2579d5b2a415feb5bc70a16b03408fdb7dc8d84c4754
Instruction ID: 5b485ea974199b4da6998b3135cce1f03d8f384a23903385a0476121bb0d31b6
Opcode Fuzzy Hash: 1a62253bbe9ec6e800ad2579d5b2a415feb5bc70a16b03408fdb7dc8d84c4754
Instruction Fuzzy Hash: A0615E3180121DDACF15FBE0D9529EDB7B6AF55300F248269E40277191EB386F09CF65

Function 0071ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0071ED91
EmptyClipboard.USER32 ref: 0071ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0071EDAC
CloseClipboard.USER32 ref: 0071EEA3

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5705526faaaa3166002226cbc754cff79106ee905d0d9dffa1bfb04532aadb1c
Instruction ID: 66263e73eae3fca92356e683730931daf0f21c77e5e702b0db48aa06776f526b
Opcode Fuzzy Hash: 5705526faaaa3166002226cbc754cff79106ee905d0d9dffa1bfb04532aadb1c
Instruction Fuzzy Hash: A4419F352046119FE311DF19E849B59BBE1FF44329F14C09DE8599B6A2C739EC81CB94

Function 0070E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0070170D
Part of subcall function 007016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0070173A
Part of subcall function 007016C3: GetLastError.KERNEL32 ref: 0070174A

ExitWindowsEx.USER32(?,00000000), ref: 0070E932

Strings

, xrefs: 0070E95C
SeShutdownPrivilege, xrefs: 0070E902
, xrefs: 0070E920
@, xrefs: 0070E925

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 170e4a273236c69d0c3b918c64ff8ab23184af757cd236027fb452772561c2ca
Instruction ID: 6a7c54a4c9d6d6800e2f802ed8370c50a29c59c69266756b6b6c0230dca4711c
Opcode Fuzzy Hash: 170e4a273236c69d0c3b918c64ff8ab23184af757cd236027fb452772561c2ca
Instruction Fuzzy Hash: 0A01D673620311EBFB5466B49C8ABBB72DCA714751F154F21FC03F21D1D5AD6C408295

Function 00721204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00721276
WSAGetLastError.WSOCK32 ref: 00721283
bind.WSOCK32(00000000,?,00000010), ref: 007212BA
WSAGetLastError.WSOCK32 ref: 007212C5
closesocket.WSOCK32(00000000), ref: 007212F4
listen.WSOCK32(00000000,00000005), ref: 00721303
WSAGetLastError.WSOCK32 ref: 0072130D
closesocket.WSOCK32(00000000), ref: 0072133C

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: bc04bc5a61fde4b1141c4fe45fb255db6bf67f1c217dd47c54dce022809cdaa9
Instruction ID: 4ccba42980433399728e2d7054b0581ea747717162306dd9ccbe47a85726deb0
Opcode Fuzzy Hash: bc04bc5a61fde4b1141c4fe45fb255db6bf67f1c217dd47c54dce022809cdaa9
Instruction Fuzzy Hash: 8B419231A00110DFD710DF24D498B6ABBE6BF56318F588198E8569F293C779ED81CBE1

Function 006DB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006DB9D4
_free.LIBCMT ref: 006DB9F8
_free.LIBCMT ref: 006DBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00743700), ref: 006DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0077121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00771270,000000FF,?,0000003F,00000000,?), ref: 006DBC36
_free.LIBCMT ref: 006DBD4B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 15ac8ccb4121a5c3931db7cd4b0820a51b8e612b78db06c5673b133df5f30674
Instruction ID: 28bf3f34090576106390a5f83318100de19ccc6858a37cf329b0aa4061576a88
Opcode Fuzzy Hash: 15ac8ccb4121a5c3931db7cd4b0820a51b8e612b78db06c5673b133df5f30674
Instruction Fuzzy Hash: 1AC15571E00245EFCB209F688C51BEA7BAAEF45350F1A519FE484DB35AEB308E418758

Function 0070D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

Part of subcall function 0070E199: GetFileAttributesW.KERNEL32(?,0070CF95), ref: 0070E19A

FindFirstFileW.KERNEL32(?,?), ref: 0070D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0070D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0070D481
FindClose.KERNEL32(00000000), ref: 0070D498
FindClose.KERNEL32(00000000), ref: 0070D4A1

Strings

\*.*, xrefs: 0070D3F2

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2eb7e91ff8087c70df9d855c8ce32e534db5071d0cb5fea6ca26277a461487e8
Instruction ID: 793ff6efe064ec72033b4acb804380952c8e909574a60aa9fdebf398e7e03d2b
Opcode Fuzzy Hash: 2eb7e91ff8087c70df9d855c8ce32e534db5071d0cb5fea6ca26277a461487e8
Instruction Fuzzy Hash: 7B316F710083959BC255FFA4D8518AFB7E9BE92300F448A1DF8D193191EB28AE09CB67

Function 006DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006DE645

Strings

1#IND, xrefs: 006DF83D
1#QNAN, xrefs: 006DF84B
1#SNAN, xrefs: 006DF844
1#INF, xrefs: 006DF852

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6c3770fec6e0559c48b96aeb2d928ea9200718a10a10bbc894e9dfbbfc8d253f
Instruction ID: bba3fbb32d3d55527ad7070aaff4de3d56373651a416590b01eacc1d0657ed63
Opcode Fuzzy Hash: 6c3770fec6e0559c48b96aeb2d928ea9200718a10a10bbc894e9dfbbfc8d253f
Instruction Fuzzy Hash: 07C23871E086288BDB65DF289D407EAB7B6EB48304F1441EBD84EE7341E775AE818F40

Function 0071648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007164DC
CoInitialize.OLE32(00000000), ref: 00716639
CoCreateInstance.OLE32(0073FCF8,00000000,00000001,0073FB68,?), ref: 00716650
CoUninitialize.OLE32 ref: 007168D4

Strings

.lnk, xrefs: 007164BA, 00716524, 007165E0

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 033df36a20270cccbd063e3a312083d8aa30a822dcfc255e058f406ae7a79833
Instruction ID: 491dfb617ad6986f4d0a749aa88b1876513d99e144bcf417b9f86581de10c24d
Opcode Fuzzy Hash: 033df36a20270cccbd063e3a312083d8aa30a822dcfc255e058f406ae7a79833
Instruction Fuzzy Hash: 7DD14971508301AFD344EF24C8819ABB7EAFF95704F10496DF5958B2A2EB70ED45CBA2

Function 007222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007222E8

Part of subcall function 0071E4EC: GetWindowRect.USER32(?,?), ref: 0071E504

GetDesktopWindow.USER32 ref: 00722312
GetWindowRect.USER32(00000000), ref: 00722319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00722355
GetCursorPos.USER32(?), ref: 00722381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007223DF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 57c7e97d65b63781457456a6b84cd09b205430c4fb9d9dd7ab00d84aac98eb4b
Instruction ID: fd7a2b360e980787fb60acf02511e7fda63e51ec92b25a1d93f8916eb7834769
Opcode Fuzzy Hash: 57c7e97d65b63781457456a6b84cd09b205430c4fb9d9dd7ab00d84aac98eb4b
Instruction Fuzzy Hash: C031E272504315AFD721DF14D849B5BB7E9FF84310F004A1DF985A7192DB38E909CB96

Function 00719B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00719B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00719C8B

Part of subcall function 00713874: GetInputState.USER32 ref: 007138CB
Part of subcall function 00713874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00713966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00719BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00719C75

Strings

*.*, xrefs: 00719B5D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: fd2ea34f4a88fcf58d31193a6b872b2dff3b3ed5f5a0c5d42423079dd0b18439
Instruction ID: 4a0d27f22a23c9ab24aa3c9d21ca0038bd667658e33744d4e2c0b40b01f7bb54
Opcode Fuzzy Hash: fd2ea34f4a88fcf58d31193a6b872b2dff3b3ed5f5a0c5d42423079dd0b18439
Instruction Fuzzy Hash: 6C41A2719042199FDF55EF68C855AEEBBB9EF05300F204059E905A32D1DB389E85CFA4

Function 006B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 006B9A4E
GetSysColor.USER32(0000000F), ref: 006B9B23
SetBkColor.GDI32(?,00000000), ref: 006B9B36

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0ee2cf8d4f7ff404f8c2a7d21d8c74d8118144bda38532993b912e06d662e62b
Instruction ID: 9e4622eddce1af2bc9741760b605c09c36d9c21aee008c8134c24f71fd9a7ba8
Opcode Fuzzy Hash: 0ee2cf8d4f7ff404f8c2a7d21d8c74d8118144bda38532993b912e06d662e62b
Instruction Fuzzy Hash: 9AA117F0118448EEE729AA3C8C99EFB369FDF42340F154119F702D6792CA299D82D776

Function 00721806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0072304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0072307A
Part of subcall function 0072304E: _wcslen.LIBCMT ref: 0072309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0072185D
WSAGetLastError.WSOCK32 ref: 00721884
bind.WSOCK32(00000000,?,00000010), ref: 007218DB
WSAGetLastError.WSOCK32 ref: 007218E6
closesocket.WSOCK32(00000000), ref: 00721915

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 18012652593e9850eba5903c06e712f3a93cd8ba419a13d95dc64093105d3c1b
Instruction ID: 9fa1c8e9333f4dc4842860c6037e8627a55bc8e01ef0a4525272747a73bfc9e1
Opcode Fuzzy Hash: 18012652593e9850eba5903c06e712f3a93cd8ba419a13d95dc64093105d3c1b
Instruction Fuzzy Hash: 8051C371A00210AFEB10AF24D886F6A77E6AF45718F48805CF949AF3C3C775ED418BA5

Function 00731C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00731CC0
IsWindowEnabled.USER32 ref: 00731CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00731CDB
IsIconic.USER32 ref: 00731CE9
IsZoomed.USER32 ref: 00731CF7

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d425de3362420d45f267a4bd28277ca8de331f1578d4e3fa7f2358ac9f3b3030
Instruction ID: f7b590ca75b614fcf5fae3e3290a2e427781e038c450805924649d9414c17f2a
Opcode Fuzzy Hash: d425de3362420d45f267a4bd28277ca8de331f1578d4e3fa7f2358ac9f3b3030
Instruction Fuzzy Hash: 8321D3317402109FF7218F2AC854B6A7BA5EF85325F59D068E8469B353CB79DC42CBA4

Function 006A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 006E5DF0
VUUU, xrefs: 006A843C
VUUU, xrefs: 006A83E8
VUUU, xrefs: 006A83FA
ERCP, xrefs: 006A813C

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 03a0519ed3f9dfa5ff92a11d4200ebabee6bfb15873f2cca51dce15ec8cf365e
Instruction ID: 06b8b75304216b54d4e2a70e59847dd219a725b5e747d5b63e94db691bc4545a
Opcode Fuzzy Hash: 03a0519ed3f9dfa5ff92a11d4200ebabee6bfb15873f2cca51dce15ec8cf365e
Instruction Fuzzy Hash: 0BA26A70E0125ACFDF24DF59C8507EDB7B2BB55314F2481AAE816A7385EB709E818F90

Function 00708298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007082AA

Strings

tbv, xrefs: 007084F4
|, xrefs: 007082DA
(, xrefs: 007082F0

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbv$|
API String ID: 1659193697-2555993713
Opcode ID: a964ac6857e9a1b4d64123b38a633da0a0f758f2c4902bd56ae9a218fe5e0668
Instruction ID: caa3681f2b34da061c2418641e246ada119f36e72eee85b3ca5486000c0b7b37
Opcode Fuzzy Hash: a964ac6857e9a1b4d64123b38a633da0a0f758f2c4902bd56ae9a218fe5e0668
Instruction Fuzzy Hash: 0C323474A00605DFCB68CF59C481A6AB7F0FF48710B15866EE49ADB3A1EB74E981CB44

Function 0070AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0070AAAC
SetKeyboardState.USER32(00000080), ref: 0070AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0070AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0070AB88

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f9366f6474de9c52feb160dcf0b84914c9f4cf1557d65b8f56c127088192d660
Instruction ID: 2a7aa1cd79dff489cca7e8fef215b72bb1f7b3894cb037489048bd9a19bd74df
Opcode Fuzzy Hash: f9366f6474de9c52feb160dcf0b84914c9f4cf1557d65b8f56c127088192d660
Instruction Fuzzy Hash: 8E31E3B1A40358FEFF358A68CC09BFA7BEAAB44310F04831AE585965D1D37D8981C766

Function 0071CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0071CE89
GetLastError.KERNEL32(?,00000000), ref: 0071CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0071CEFE

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 3fd7de07af4375f5ec50cbdf7f520e99fc8979a91e5c4347fc9181478114242d
Instruction ID: 4a5b515f33e8cae49efa8089e5245ae33c40f08e582d6e4ed54de5c17234f069
Opcode Fuzzy Hash: 3fd7de07af4375f5ec50cbdf7f520e99fc8979a91e5c4347fc9181478114242d
Instruction Fuzzy Hash: 5721C1B25403059BE732CFA9C949BA7B7FDEB00314F10841EE546E2191E778EE898B94

Function 00715C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00715CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00715D17
FindClose.KERNEL32(?), ref: 00715D5F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0c4d2a2563b017ad4847c92cfe47a94175ba3990c2236f5c4add2916c296fbd3
Instruction ID: 93fa58fa7889586277d3514accb9b0cf4034a9fa253743f51381215f72040048
Opcode Fuzzy Hash: 0c4d2a2563b017ad4847c92cfe47a94175ba3990c2236f5c4add2916c296fbd3
Instruction Fuzzy Hash: A3519974604A01DFC718DF28D484A96B7E4FF8A324F14855DE99A8B3A2CB34ED84CF91

Function 006D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 006D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 006D2731

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 360ede8d9f591d8de36dc7886c70b6a16014ae8f4667c6816fe02721d1dc1067
Instruction ID: 82129e98ceb914254db507af9767c37e66a9ef1b6a7019d6d33ef44b6f064c79
Opcode Fuzzy Hash: 360ede8d9f591d8de36dc7886c70b6a16014ae8f4667c6816fe02721d1dc1067
Instruction Fuzzy Hash: 5631C475901219ABCB61DF64DC88BD9BBB9EF18310F5041EAE81CA7261E7349F818F49

Function 007151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00715238
SetErrorMode.KERNEL32(00000000), ref: 007152A1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 425ebe74e7c0049e3e75ad3c89df0288cc21452a36fc839be6be507261a8a33d
Instruction ID: 6c2f15cdca38c03f3aeb3e2ec927e73b73a19bae3730dfee2146c717a21ebcb1
Opcode Fuzzy Hash: 425ebe74e7c0049e3e75ad3c89df0288cc21452a36fc839be6be507261a8a33d
Instruction Fuzzy Hash: C4314C75A00618DFDB00EF54D884EADBBB5FF49314F088099E805AB3A2DB35EC55CBA4

Function 007016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006C0668
Part of subcall function 006BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0070170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0070173A
GetLastError.KERNEL32 ref: 0070174A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 53b949122b9b53cf7d347c3efc5896b0e6bdabfaf01f51d9469eaf9cd8ff9be5
Instruction ID: c20e52b808bc765f376d7aee92f599ec042f5bb52a514c3adfb35487246663b1
Opcode Fuzzy Hash: 53b949122b9b53cf7d347c3efc5896b0e6bdabfaf01f51d9469eaf9cd8ff9be5
Instruction Fuzzy Hash: D611CEB2400304EFE718AF54DC86DAAB7F9EF04714B20862EE05653291EB75FC818B24

Function 0070D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0070D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0070D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0070D650

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f0ab25f5df96f83bfbfce2293abae31f90fa59c2f773f4798e8c491f971c77a2
Instruction ID: e9707ec8740eb557732030d41d2a22dde7409bb384ad1c28fa7e1104e7f4a313
Opcode Fuzzy Hash: f0ab25f5df96f83bfbfce2293abae31f90fa59c2f773f4798e8c491f971c77a2
Instruction Fuzzy Hash: 07113C75E05228BBEB218F959C45FAFBBBCEB45B50F108115F904E7290D6744A058BA1

Function 00701663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0070168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007016A1
FreeSid.ADVAPI32(?), ref: 007016B1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2c4a971b46f591e69d2ab05b887dd78da1dded3b6fb54cbc138405cfa4aa39b5
Instruction ID: 452b0e85089ff896b44f52b8a94e1dcf1ad64072683e0569eae5b810ff8ce9de
Opcode Fuzzy Hash: 2c4a971b46f591e69d2ab05b887dd78da1dded3b6fb54cbc138405cfa4aa39b5
Instruction Fuzzy Hash: 85F0F47195030DFBEB00DFE49D89AAEBBBCEB08705F508565E601E2181E778AA448B54

Function 006DC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 006DC36C

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 60482e335f454a06c89f077e83594d3dba33416e1c4cef118a2651a4dac7a400
Instruction ID: 0654882f93841b4802c39e36e9e0476024e8b2a3d98a01bda4daad49019059f8
Opcode Fuzzy Hash: 60482e335f454a06c89f077e83594d3dba33416e1c4cef118a2651a4dac7a400
Instruction Fuzzy Hash: 8B41077690021A6BCB249FB9CC49DFB77BAEB84324F10426EF905D7380E6719E41CB54

Function 006FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 006FD28C

Strings

X64, xrefs: 006FD2A8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2e77ff26d8f6f15d6b1e20184bce4ef7e60c9ae3a00ca8495e59fc507fdd9ad3
Instruction ID: b151787dcd9bd1ad6c5a9df3371e56b2e43566d6f370f890789566abfb20119d
Opcode Fuzzy Hash: 2e77ff26d8f6f15d6b1e20184bce4ef7e60c9ae3a00ca8495e59fc507fdd9ad3
Instruction Fuzzy Hash: 89D0C9B480111DEACB94DB90DC88DE9B37DBB04305F104151F206A2000D73496498F10

Function 006CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 72eaf6ead7c1603456a45eb2c977c0f47fd97d4780100a44f883ebf7a141a2bf
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B7020C71E012199BDF14CFA9C980BEDBBF2EF49324F25416ED819EB384D731A9418B94

Function 006ACAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#w, xrefs: 006ACF7F
Variable is not of type 'Object'., xrefs: 006F0C40

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#w
API String ID: 0-2679264178
Opcode ID: ddf7e3468b2b9e8c6fc46beed04e8b0735f33ccb58d2c01553688cda0b4476c8
Instruction ID: 0c9a68b88ca0f5154dd059afdb191f21e4326c43340447c7b23a2f1340fd916d
Opcode Fuzzy Hash: ddf7e3468b2b9e8c6fc46beed04e8b0735f33ccb58d2c01553688cda0b4476c8
Instruction Fuzzy Hash: 17326970900218DFDF14EF94C995AEDB7B6BF06324F148059E906AB292DB35AE46CF60

Function 007168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00716918
FindClose.KERNEL32(00000000), ref: 00716961

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f65f3ac495206ccc31e70c04708f3f1ff71a792dfe051bef7d1075e438a91a82
Instruction ID: b06c61a7e56c3c22db5e93c8e9d760f5784ee82298e4b73481c8058d18c9d44d
Opcode Fuzzy Hash: f65f3ac495206ccc31e70c04708f3f1ff71a792dfe051bef7d1075e438a91a82
Instruction Fuzzy Hash: 1F1190716042109FD710DF29D885A16BBE5FF85329F14C69DE8698F2A2CB34EC45CB91

Function 007137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00724891,?,?,00000035,?), ref: 007137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00724891,?,?,00000035,?), ref: 007137F4

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a929d41310605d2ba7665b5be4b1a90fab1dc715931689351338866de993c8d7
Instruction ID: 96491131d07fb1520261e7f0fae0a04a081202817b39aaa5b30cd65bf441ee64
Opcode Fuzzy Hash: a929d41310605d2ba7665b5be4b1a90fab1dc715931689351338866de993c8d7
Instruction Fuzzy Hash: FCF0E5B16053282AE760276A8C8DFEB3AAEEFC5761F004275F509E22C1D9709D44C7B4

Function 0070B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0070B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0070B270

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: fd2ca1d65edf3dc9069eb025b35a631d65bb6cdbcd695eb82fbe924a478f57ce
Instruction ID: aea4b074a3ac3f04c0e0650a50bcba916b325783939dd3fc987f196e21198a65
Opcode Fuzzy Hash: fd2ca1d65edf3dc9069eb025b35a631d65bb6cdbcd695eb82fbe924a478f57ce
Instruction Fuzzy Hash: A8F01D7180424DEBEB059FA0C805BAE7BB4FF08305F108009F955A5191C37D86119F94

Function 007010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007011FC), ref: 007010D4
CloseHandle.KERNEL32(?,?,007011FC), ref: 007010E9

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ddc42b17ba2d0f47cb6bca0eed2c734ef146783cf1a979673c0b5be474005150
Instruction ID: d1970fe0007bf09ca353169a7f71f05e2a11eab8476e86f5b4c2025cab291ea5
Opcode Fuzzy Hash: ddc42b17ba2d0f47cb6bca0eed2c734ef146783cf1a979673c0b5be474005150
Instruction Fuzzy Hash: CEE04F72004610EEF7262B11FC05EB377E9EF04311B10C82DF4A5804B1DB62ACE0DB14

Function 006D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006D6766,?,?,00000008,?,?,006DFEFE,00000000), ref: 006D6998

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ddcedb095aeb0ef60ac9231020b314afc5eeb7427af04a027011a2a3798c3466
Instruction ID: d0a71075a0ecf798b2b420c7de3f02319666d723476ece573864ebbc95f7c385
Opcode Fuzzy Hash: ddcedb095aeb0ef60ac9231020b314afc5eeb7427af04a027011a2a3798c3466
Instruction Fuzzy Hash: F3B14A31A106099FD715CF28C486BA57BA1FF45364F298659F8DACF3A2C335E982CB40

Function 006BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 006F851F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f46b6157c0091ee5cde96481e191aca1e8a21aced17f0ece02adb74db63867c7
Instruction ID: 30eec812021445e9a54589fea8b8cae271ff40b11545dabfc65b7bcdcf654dc2
Opcode Fuzzy Hash: f46b6157c0091ee5cde96481e191aca1e8a21aced17f0ece02adb74db63867c7
Instruction Fuzzy Hash: 9B125FB19002299FDB24CF58C8816FEB7F6FF48710F14819AE949EB255DB749E81CB90

Function 0071EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0071EABD

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ac01eeeefabd1401c3713fdfc4ec20ab6df57f6da4cd1b45d7c80c86f96b2cc8
Instruction ID: 8d7cd00b27e34f0cb1a17a3fe9467e9360fcde8ff90bd3359aa24dc2d269bf34
Opcode Fuzzy Hash: ac01eeeefabd1401c3713fdfc4ec20ab6df57f6da4cd1b45d7c80c86f96b2cc8
Instruction Fuzzy Hash: D8E01A322002049FD710EF69D805E9AB7EAAF99760F00C41AFC4AD7291DA74AD808B95

Function 006C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006C03EE), ref: 006C09DA

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e9c28ee0c7d165eaa02debb27d5a68882d7979bc194400c306419d8c266f7029
Instruction ID: bbf3de48b4daf82a1d0eb86bcc1ff413850e7a831aafda678fb063d6ba0d5c7a
Opcode Fuzzy Hash: e9c28ee0c7d165eaa02debb27d5a68882d7979bc194400c306419d8c266f7029
Instruction Fuzzy Hash:

Function 006C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 006C798B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e9869f0305de4cde637479190e0cfd137c9e1741ec8b51daf3f9451e1ccc4672
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B6518B7160D7055BDF388569885EFFE239BDB12340F18052EEA86D7382CA25DE02DF5A

Function 00712046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&w, xrefs: 00712053

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID: 0&w
API String ID: 0-3600112441
Opcode ID: 02d88282c74e9cdf9a2aa29203081d3c0f911b59a042ad3464585cbc30f26229
Instruction ID: 722fce28e28ccdffea9497a4a1e9b60edb20f85bab1a84d4b3cf3b066a3aa9a1
Opcode Fuzzy Hash: 02d88282c74e9cdf9a2aa29203081d3c0f911b59a042ad3464585cbc30f26229
Instruction Fuzzy Hash: 3521A8326205118BD728CF79C8226BA73E5E754310F15862EE4A7C37D1DE39A945C784

Function 006D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a845e73adcc7a6d770a4b77b1f2612f5410a9588099e745f87c9287e6b76daa
Instruction ID: b9446510386943831da2af279f1495a6b48643853e7cd4f00f5e73fb7f55bc5e
Opcode Fuzzy Hash: 4a845e73adcc7a6d770a4b77b1f2612f5410a9588099e745f87c9287e6b76daa
Instruction Fuzzy Hash: 84324626D29F014DD7239634DC22335A28AAFB73C5F55C737F81AB5AAAEF29C4834101

Function 006BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ce433e64d9b19807ce6f81719c9419b187f166a4f54acf354cd7eecd306c1d
Instruction ID: 07195f7c8cd3fd1ffb198e51c55e2fdf2caa1c8ea2231ebf9fd16c5c88119776
Opcode Fuzzy Hash: 90ce433e64d9b19807ce6f81719c9419b187f166a4f54acf354cd7eecd306c1d
Instruction Fuzzy Hash: 4832F371A0411D8BDF28CB29C6946FD7BA3EB45330F28856AD65ACB395D334DE82DB40

Function 006A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625eece06151a7ec563dc3ed82bc2ec589742be43c7e9929658dd218ac18c3ae
Instruction ID: 65a85a3bf5d8183c74801eddc4f885e485ce097790ee045a365a61ab79144e6b
Opcode Fuzzy Hash: 625eece06151a7ec563dc3ed82bc2ec589742be43c7e9929658dd218ac18c3ae
Instruction Fuzzy Hash: 8C229DB0A00609EFDF14DF65C881AEEB3B6FF45304F244629E816A7291EB35AD51CB64

Function 006A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71354a8fcada38c4ac8ec1839a9a7830b4fb1915a60351149b53822266edbb95
Instruction ID: 9fd039036daee3f621c8878ad3d88105c005a23417e5499c0ae179dc7eea6741
Opcode Fuzzy Hash: 71354a8fcada38c4ac8ec1839a9a7830b4fb1915a60351149b53822266edbb95
Instruction Fuzzy Hash: 1802A5B0A01205EBDF04DF65D881AAEB7B2FF44300F208169E8169B391EB75AE51CF95

Function 006D9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f605dc2bc502f9495787a819d4ab16761763cefd6a2eeea6af7d5080d367103
Instruction ID: 4580a740d565d60bef5f90e4e61f3bb9a2189c866c83180fae64c7e53a5eca5f
Opcode Fuzzy Hash: 8f605dc2bc502f9495787a819d4ab16761763cefd6a2eeea6af7d5080d367103
Instruction Fuzzy Hash: 6EB10334D2AF404DD3239A398831336B65CAFBB6D5F51D71BFC1A74D22EB2686834144

Function 006C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a513773043366fada7c78dd8e710db6c4ba83cfd859ed3bbff3a7af006f67eaf
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 619178725080A34AD72946398574A7DFFE2DE533A1319079DE4F3CE2C2EE24D565D620

Function 006C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 0f70d78959d114605e315d9d0a84cbd0ce762a29215d43539a28d53fb4fcb133
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 649157726090E34ADB2D427A857497DFFE2DA933A1319079DD4F2CE2C2FD24C965DA20

Function 006C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813a7c83618a5536bec8805749762b389ef11958f66339e2548b3714930426c3
Instruction ID: 4f8bc44c35cc7858feb2a1cd85d9ce0b317653577311557f197a7e02adf79396
Opcode Fuzzy Hash: 813a7c83618a5536bec8805749762b389ef11958f66339e2548b3714930426c3
Instruction Fuzzy Hash: 1E61777120874AAADB349EA88995FFE239BDF51710F10091EF842CB381DA11EE428F59

Function 006C7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c097acec0ab242fdafbfa9d1bdea6189e4476e0ea78c191cb490fa4148d0fb
Instruction ID: 22ed4c146cc45b5cc11c8ba25420b5979b86dc81c2fbe1360331101aca738feb
Opcode Fuzzy Hash: d1c097acec0ab242fdafbfa9d1bdea6189e4476e0ea78c191cb490fa4148d0fb
Instruction Fuzzy Hash: B261783220874967DA385A288856FFF239BEF46740F10495EF843CB381DA12FD42CE59

Function 006C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e68ed80ef0a088da0342b34574ad827fea8f388107a9294ac5e61759c1671c16
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8D81657250D0A34ADB6D4239857497EFFE3DA933A131A079ED4F2CE2C2EE24C555E620

Function 006BD07D Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85af19d856045158542d46d3460f522a9c0a5c3f9b033d50eacd046f9317462a
Instruction ID: 98ee2e134a9d29ffcab5c1eee3dafb0a724a1b3746fb01e5ca31b30236d093e3
Opcode Fuzzy Hash: 85af19d856045158542d46d3460f522a9c0a5c3f9b033d50eacd046f9317462a
Instruction Fuzzy Hash: 0E51966154FEC6AFC30E9B34DA76144FF30BE6351030CC78FC8A54AA86D750A22AD795

Function 00722ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00722B30
DeleteObject.GDI32(00000000), ref: 00722B43
DestroyWindow.USER32 ref: 00722B52
GetDesktopWindow.USER32 ref: 00722B6D
GetWindowRect.USER32(00000000), ref: 00722B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00722CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00722CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722CF8
GetClientRect.USER32(00000000,?), ref: 00722D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00722D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D80
GlobalLock.KERNEL32(00000000), ref: 00722D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D98
GlobalUnlock.KERNEL32(00000000), ref: 00722DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722DA8
GlobalFree.KERNEL32(00000000), ref: 00722DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0073FC38,00000000), ref: 00722DDB
GlobalFree.KERNEL32(00000000), ref: 00722DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00722E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00722E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0072303F

Strings

, xrefs: 00722FC5
static, xrefs: 00722D3A, 00722E91
AutoIt v3, xrefs: 00722CF2
DISPLAY, xrefs: 00722EA2

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a109d62a8243cefa5a1e1e4abd9ec8762a30b42ce6ab3ceaa7c2f7f1cf928d64
Instruction ID: e56921f9047e533a0eee8d29a38362c8bec45a93e3b58d7e64c4b110b4e077ba
Opcode Fuzzy Hash: a109d62a8243cefa5a1e1e4abd9ec8762a30b42ce6ab3ceaa7c2f7f1cf928d64
Instruction Fuzzy Hash: C0028F71900214EFDB15DF64DC89EAE7BB9EB49311F048118F915AB2A2DB38DD41CF64

Function 007370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0073712F
GetSysColorBrush.USER32(0000000F), ref: 00737160
GetSysColor.USER32(0000000F), ref: 0073716C
SetBkColor.GDI32(?,000000FF), ref: 00737186
SelectObject.GDI32(?,?), ref: 00737195
InflateRect.USER32(?,000000FF,000000FF), ref: 007371C0
GetSysColor.USER32(00000010), ref: 007371C8
CreateSolidBrush.GDI32(00000000), ref: 007371CF
FrameRect.USER32(?,?,00000000), ref: 007371DE
DeleteObject.GDI32(00000000), ref: 007371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00737230
FillRect.USER32(?,?,?), ref: 00737262
GetWindowLongW.USER32(?,000000F0), ref: 00737284

Part of subcall function 007373E8: GetSysColor.USER32(00000012), ref: 00737421
Part of subcall function 007373E8: SetTextColor.GDI32(?,?), ref: 00737425
Part of subcall function 007373E8: GetSysColorBrush.USER32(0000000F), ref: 0073743B
Part of subcall function 007373E8: GetSysColor.USER32(0000000F), ref: 00737446
Part of subcall function 007373E8: GetSysColor.USER32(00000011), ref: 00737463
Part of subcall function 007373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00737471
Part of subcall function 007373E8: SelectObject.GDI32(?,00000000), ref: 00737482
Part of subcall function 007373E8: SetBkColor.GDI32(?,00000000), ref: 0073748B
Part of subcall function 007373E8: SelectObject.GDI32(?,?), ref: 00737498
Part of subcall function 007373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007374B7
Part of subcall function 007373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007374CE
Part of subcall function 007373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007374DB

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a336f6484130d13d136e2c83137592913ae22164577f2ed99a980b1ac84eba89
Instruction ID: 37cae0a67883ee1fb94f064bb539291f1f637889bf192c9cd7dfef3ebe438560
Opcode Fuzzy Hash: a336f6484130d13d136e2c83137592913ae22164577f2ed99a980b1ac84eba89
Instruction Fuzzy Hash: 09A1C2B2008305EFEB159F60DC48E5B7BB9FB88321F104A19F9A2A61E1D779E840DB51

Function 006B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 006B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 006F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006F6F43

Part of subcall function 006B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006B8BE8,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006B8FC5

SendMessageW.USER32(?,00001053), ref: 006F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 006F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 006F6FB7

Strings

0, xrefs: 006F6DCF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5ea91b67da507c2e4b6e4ed10e4376fdedfe86dbc26071c898a1d78a0b599ace
Instruction ID: 83ce66b5ccfac9bb31bbf6b38032168892e0502141556a722dc48e12c407587a
Opcode Fuzzy Hash: 5ea91b67da507c2e4b6e4ed10e4376fdedfe86dbc26071c898a1d78a0b599ace
Instruction Fuzzy Hash: E312A870204255EFDB25DF28C884BFAB7A6FF44300F548469F6899B261CB35E892CF95

Function 00722711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0072273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0072286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00722900
GetClientRect.USER32(00000000,?), ref: 0072290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00722955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00722964
GetStockObject.GDI32(00000011), ref: 00722974
SelectObject.GDI32(00000000,00000000), ref: 00722978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00722988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00722991
DeleteDC.GDI32(00000000), ref: 0072299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00722A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00722A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00722A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00722A77
GetStockObject.GDI32(00000011), ref: 00722A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00722A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00722A97

Strings

static, xrefs: 0072294F, 00722A71
AutoIt v3, xrefs: 007228F8
DISPLAY, xrefs: 0072295A
msctls_progress32, xrefs: 00722A13

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: da76caf5ee2c9cac1836dcd2884e4adabb05adb5a1fc766797fda0261d378f3c
Instruction ID: 28e0d2cd8ab9de0a78fc16ee08eb80f2a099983394612d1d088f0014fbc8479c
Opcode Fuzzy Hash: da76caf5ee2c9cac1836dcd2884e4adabb05adb5a1fc766797fda0261d378f3c
Instruction Fuzzy Hash: 1AB15EB1A00215BFEB14DF68DC86FAE7BA9EB05711F008118F915E7291D778ED40CBA4

Function 00714ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00714AED
GetDriveTypeW.KERNEL32(?,0073CB68,?,\\.\,0073CC08), ref: 00714BCA
SetErrorMode.KERNEL32(00000000,0073CB68,?,\\.\,0073CC08), ref: 00714D36

Strings

SATA, xrefs: 00714CD0
SSA, xrefs: 00714CA6
ATAPI, xrefs: 00714C91
Fixed, xrefs: 00714C09
\\.\, xrefs: 00714B3F
RAID, xrefs: 00714CBB
FileBackedVirtual, xrefs: 00714CEC
Network, xrefs: 00714C02
1394, xrefs: 00714C9F
ATA, xrefs: 00714C98
Removable, xrefs: 00714C10, 00714C15
Fibre, xrefs: 00714CAD
iSCSI, xrefs: 00714CC2
USB, xrefs: 00714CB4
SAS, xrefs: 00714CC9
MMC, xrefs: 00714CDE
CDROM, xrefs: 00714BFB
Unknown, xrefs: 00714BED, 00714C83
RAMDisk, xrefs: 00714BF4
SCSI, xrefs: 00714C8A
SSD, xrefs: 00714C4A
PhysicalDrive, xrefs: 00714B76
Virtual, xrefs: 00714CE5

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 99f9db8b49bcd3d418624a5efc0b66f7ae1653f28c6c548a7db503099442702b
Instruction ID: 8cf435041efa109be069e1ccf4fe5cf1c9d552c8c2fbcb8ead83f7d99604e223
Opcode Fuzzy Hash: 99f9db8b49bcd3d418624a5efc0b66f7ae1653f28c6c548a7db503099442702b
Instruction Fuzzy Hash: 8761AFB0705105DBCF14EF2CCA919E8B7B1AB45740B648019F807AB6D1DB2DED81DBA1

Function 007373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00737421
SetTextColor.GDI32(?,?), ref: 00737425
GetSysColorBrush.USER32(0000000F), ref: 0073743B
GetSysColor.USER32(0000000F), ref: 00737446
CreateSolidBrush.GDI32(?), ref: 0073744B
GetSysColor.USER32(00000011), ref: 00737463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00737471
SelectObject.GDI32(?,00000000), ref: 00737482
SetBkColor.GDI32(?,00000000), ref: 0073748B
SelectObject.GDI32(?,?), ref: 00737498
InflateRect.USER32(?,000000FF,000000FF), ref: 007374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0073752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00737554
InflateRect.USER32(?,000000FD,000000FD), ref: 00737572
DrawFocusRect.USER32(?,?), ref: 0073757D
GetSysColor.USER32(00000011), ref: 0073758E
SetTextColor.GDI32(?,00000000), ref: 00737596
DrawTextW.USER32(?,007370F5,000000FF,?,00000000), ref: 007375A8
SelectObject.GDI32(?,?), ref: 007375BF
DeleteObject.GDI32(?), ref: 007375CA
SelectObject.GDI32(?,?), ref: 007375D0
DeleteObject.GDI32(?), ref: 007375D5
SetTextColor.GDI32(?,?), ref: 007375DB
SetBkColor.GDI32(?,?), ref: 007375E5

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 316f617ef9ae05209a67911010b19ea18cf6d420003b4908d13ce6cc6bab5654
Instruction ID: e0a3a3e54a0c2ab29dc5b81ade326b15148263bb21b598bd37053bc0d38ebf17
Opcode Fuzzy Hash: 316f617ef9ae05209a67911010b19ea18cf6d420003b4908d13ce6cc6bab5654
Instruction Fuzzy Hash: 586172B2900218AFEF159FA4DC49EEE7FB9EB08321F108115F911BB2A1D7799940DF94

Function 00730FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00731128
GetDesktopWindow.USER32 ref: 0073113D
GetWindowRect.USER32(00000000), ref: 00731144
GetWindowLongW.USER32(?,000000F0), ref: 00731199
DestroyWindow.USER32(?), ref: 007311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0073120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0073121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00731232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00731245
IsWindowVisible.USER32(00000000), ref: 007312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007312D0
GetWindowRect.USER32(00000000,?), ref: 007312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0073130E
GetMonitorInfoW.USER32(00000000,?), ref: 00731328
CopyRect.USER32(?,?), ref: 0073133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007313AA

Strings

(, xrefs: 0073131B
0, xrefs: 007310D3
tooltips_class32, xrefs: 007311E6

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: cdaf07d7d2133eac99746c1d720d9e668e1b7087c8a7d52780a1c842e3d03f0b
Instruction ID: db5fe0ec62464260e6b64d7936c1892697c12666e8a794524e72ea6a28041721
Opcode Fuzzy Hash: cdaf07d7d2133eac99746c1d720d9e668e1b7087c8a7d52780a1c842e3d03f0b
Instruction Fuzzy Hash: 5CB17A71604341AFE704DF64C885B6ABBE5FF85350F40891CF999AB262C735E844CFA6

Function 00730241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007302E5
_wcslen.LIBCMT ref: 0073031F
_wcslen.LIBCMT ref: 00730389
_wcslen.LIBCMT ref: 007303F1
_wcslen.LIBCMT ref: 00730475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00730504

Part of subcall function 006BF9F2: _wcslen.LIBCMT ref: 006BF9FD

Part of subcall function 0070223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00702258
Part of subcall function 0070223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0070228A

Strings

DESELECT, xrefs: 0073059C
GETSUBITEMCOUNT, xrefs: 00730384, 0073039F
SELECTINVERT, xrefs: 0073057E
GETTEXT, xrefs: 007303EC, 00730407
VIEWCHANGE, xrefs: 00730675
SELECTALL, xrefs: 00730515
GETITEMCOUNT, xrefs: 00730316, 00730337
SELECTCLEAR, xrefs: 0073052D
GETSELECTEDCOUNT, xrefs: 00730470, 0073048B
ISSELECTED, xrefs: 007304DD
FINDITEM, xrefs: 00730627
SELECT, xrefs: 00730548
GETSELECTED, xrefs: 007305E1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: d6c5eeec2947e776baa6486275d4f09290e4cbc21dd0afb4fd8f69ed43c24065
Instruction ID: 65b978db7ae4529284bac04a981cc52ab33dd8fbb27af9b44e61dbb7d8a426fc
Opcode Fuzzy Hash: d6c5eeec2947e776baa6486275d4f09290e4cbc21dd0afb4fd8f69ed43c24065
Instruction Fuzzy Hash: 36E1CF31208201CFD754EF24C86192AB3E6BF89758F14496CF8969B3A7DB38ED45CB91

Function 006B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006B8968
GetSystemMetrics.USER32(00000007), ref: 006B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006B899B
GetSystemMetrics.USER32(00000008), ref: 006B89A3
GetSystemMetrics.USER32(00000004), ref: 006B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 006B8A5A
GetStockObject.GDI32(00000011), ref: 006B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 006B8A81

Part of subcall function 006B912D: GetCursorPos.USER32(?), ref: 006B9141
Part of subcall function 006B912D: ScreenToClient.USER32(00000000,?), ref: 006B915E
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000001), ref: 006B9183
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000002), ref: 006B919D

SetTimer.USER32(00000000,00000000,00000028,006B90FC), ref: 006B8AA8

Strings

AutoIt v3 GUI, xrefs: 006B8A20

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ee035d18232e3706694b5cbc0fbfd7aff106b4d17e1bc8bb28961ecffbc7242c
Instruction ID: 3bfc0631aef495041408a5687020f382822893cf2e167002b8ac7ff0155f728d
Opcode Fuzzy Hash: ee035d18232e3706694b5cbc0fbfd7aff106b4d17e1bc8bb28961ecffbc7242c
Instruction Fuzzy Hash: E6B15C75A00209EFDF14DF68CC45BEA3BB6FB48355F108129FA15AB290DB74A881CF55

Function 00700D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00701114
Part of subcall function 007010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701120
Part of subcall function 007010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 0070112F
Part of subcall function 007010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701136
Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0070114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00700DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00700E29
GetLengthSid.ADVAPI32(?), ref: 00700E40
GetAce.ADVAPI32(?,00000000,?), ref: 00700E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00700E96
GetLengthSid.ADVAPI32(?), ref: 00700EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00700EB5
HeapAlloc.KERNEL32(00000000), ref: 00700EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00700EDD
CopySid.ADVAPI32(00000000), ref: 00700EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00700F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00700F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00700F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700F6E
HeapFree.KERNEL32(00000000), ref: 00700F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700F7E
HeapFree.KERNEL32(00000000), ref: 00700F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700F8E
HeapFree.KERNEL32(00000000), ref: 00700F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00700FA1
HeapFree.KERNEL32(00000000), ref: 00700FA8

Part of subcall function 00701193: GetProcessHeap.KERNEL32(00000008,00700BB1,?,00000000,?,00700BB1,?), ref: 007011A1
Part of subcall function 00701193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00700BB1,?), ref: 007011A8
Part of subcall function 00701193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00700BB1,?), ref: 007011B7

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d783a7eb0859b0ccc15d8e383a06002010885fafa1cbaf80fc8dd4b1cd74b495
Instruction ID: a22aa24014bdb48f1c1d8d43cb68c6a4d5f30185135c0d1f548a2bc39a9882bc
Opcode Fuzzy Hash: d783a7eb0859b0ccc15d8e383a06002010885fafa1cbaf80fc8dd4b1cd74b495
Instruction Fuzzy Hash: 3271617190020AEBDF119FA4DC45FAEBBB8BF05311F048215F959B6191D739AA05DBA0

Function 0072C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0073CC08,00000000,?,00000000,?,?), ref: 0072C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0072C5A4
_wcslen.LIBCMT ref: 0072C5F4
_wcslen.LIBCMT ref: 0072C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0072C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0072C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0072C84D
RegCloseKey.ADVAPI32(?), ref: 0072C881
RegCloseKey.ADVAPI32(00000000), ref: 0072C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0072C960

Strings

REG_BINARY, xrefs: 0072C913
REG_EXPAND_SZ, xrefs: 0072C5CD
REG_QWORD, xrefs: 0072C8C3
REG_DWORD, xrefs: 0072C804
REG_MULTI_SZ, xrefs: 0072C6F5
REG_SZ, xrefs: 0072C644

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c57ba60382530d2fc63966242e319c93d0dc2628bf14c419ae9c7eb1ed738965
Instruction ID: 258f771ad8d706b2ce84f1b58b3c0fdf581cf18eca3a59df621730e3052cdf9b
Opcode Fuzzy Hash: c57ba60382530d2fc63966242e319c93d0dc2628bf14c419ae9c7eb1ed738965
Instruction Fuzzy Hash: DA1289356042109FDB15EF14D881A2AB7E6EF89314F14889CF88A9B3A2DB35FD41CF95

Function 0073091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007309C6
_wcslen.LIBCMT ref: 00730A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00730A54
_wcslen.LIBCMT ref: 00730A8A
_wcslen.LIBCMT ref: 00730B06
_wcslen.LIBCMT ref: 00730B81

Part of subcall function 006BF9F2: _wcslen.LIBCMT ref: 006BF9FD

Part of subcall function 00702BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00702BFA

Strings

EXISTS, xrefs: 00730B7C, 00730B97
GETTOTALCOUNT, xrefs: 007309F2, 00730A17
UNCHECK, xrefs: 00730D3E
EXPAND, xrefs: 00730BF8
GETITEMCOUNT, xrefs: 00730C1E
CHECK, xrefs: 00730A85, 00730AA0
GETTEXT, xrefs: 00730C97
COLLAPSE, xrefs: 00730B01, 00730B1C
SELECT, xrefs: 00730D11
GETSELECTED, xrefs: 00730C4E
ISCHECKED, xrefs: 00730CE1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 5bd4b8e52e3998bbd730ca1d7fdeb0d768c9140e4a4ed11150700ad2592087b0
Instruction ID: d41dd7b2a39cf0568ccdcd69e31dfc2e2415bc1e9896c3fed3645afc0c522572
Opcode Fuzzy Hash: 5bd4b8e52e3998bbd730ca1d7fdeb0d768c9140e4a4ed11150700ad2592087b0
Instruction Fuzzy Hash: 45E1BD712083018FC754EF24C86092AB7E2BF98358F14895CF8969B3A2DB39ED45CB91

Function 0072C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
_wcslen.LIBCMT ref: 0072C9F1
_wcslen.LIBCMT ref: 0072CA68
_wcslen.LIBCMT ref: 0072CA9E
_wcslen.LIBCMT ref: 0072CAF9
_wcslen.LIBCMT ref: 0072CB2F
_wcslen.LIBCMT ref: 0072CB7F

Strings

HKLM, xrefs: 0072CA98, 0072CA9D
HKEY_USERS, xrefs: 0072CBDF
HKU, xrefs: 0072CBF0
HKCR, xrefs: 0072CB29, 0072CB2E
HKEY_CLASSES_ROOT, xrefs: 0072CAF3, 0072CAF8
HKEY_CURRENT_USER, xrefs: 0072CBBD
HKEY_CURRENT_CONFIG, xrefs: 0072CB79, 0072CB7E
HKCC, xrefs: 0072CBAC
HKCU, xrefs: 0072CBCE
HKEY_LOCAL_MACHINE, xrefs: 0072CA62, 0072CA67

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 1b7cdd72b66a3341e5a435153f19136cf216808664806388d3bf6fb5da8311cf
Instruction ID: 4d9bd2c757bedadbcdc4e9a1f3649ed3a55f0a7438e07a06221601d3035818a9
Opcode Fuzzy Hash: 1b7cdd72b66a3341e5a435153f19136cf216808664806388d3bf6fb5da8311cf
Instruction Fuzzy Hash: 0A71097260017A8BCB12DE7CED515BF33A19F71794B154528FC5697284E63DCD84C7A0

Function 0073833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0073835A
_wcslen.LIBCMT ref: 0073836E
_wcslen.LIBCMT ref: 00738391
_wcslen.LIBCMT ref: 007383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00735BF2), ref: 0073844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00738487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00738501
FreeLibrary.KERNEL32(?), ref: 0073850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0073851D
DestroyIcon.USER32(?,?,?,?,?,00735BF2), ref: 0073852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00738549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00738555

Strings

.dll, xrefs: 007383AB
.icl, xrefs: 00738368
.exe, xrefs: 00738388

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b82958c1f5fb7b3bb34641a6220f3a3bd56b2124129a169983337290c9ba94fc
Instruction ID: 93af6fac0452ac9947967806cafcbc584c1abe5db4f6517ccd04526f69b2f437
Opcode Fuzzy Hash: b82958c1f5fb7b3bb34641a6220f3a3bd56b2124129a169983337290c9ba94fc
Instruction Fuzzy Hash: D761D072500319BAFB55DF64CC45BBE77A8FB08721F108609F815E61D2DF78A990CBA0

Function 006A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 006E5169
", xrefs: 006E5153
#cs, xrefs: 006A7873, 006A78C5
#OnAutoItStartRegister, xrefs: 006A7817
#notrayicon, xrefs: 006A77E7
#pragma compile, xrefs: 006A77D3
Unterminated group of comments, xrefs: 006E528C
#ce, xrefs: 006A78ED
#requireadmin, xrefs: 006A77FF
Bad directive syntax error, xrefs: 006E519A
Cannot parse #include, xrefs: 006E5279
#include-once, xrefs: 006A782F
#comments-end, xrefs: 006A78D9
#comments-start, xrefs: 006A785F, 006A78B1
#include, xrefs: 006A7847

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 32a153b98fef8a13347e31d56d68fd92ffeca07f710b7b3a13ed671a0f5020aa
Instruction ID: 87259439f749ad4c0a8581032308e032f561c606caaf20caaddf78310c2a2305
Opcode Fuzzy Hash: 32a153b98fef8a13347e31d56d68fd92ffeca07f710b7b3a13ed671a0f5020aa
Instruction Fuzzy Hash: 8E81D8B1604205BBDB60BF60DC42FEE776AAF16340F044028F9056B292EB74DE51DBA5

Function 00713E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00713EF8
_wcslen.LIBCMT ref: 00713F03
_wcslen.LIBCMT ref: 00713F5A
_wcslen.LIBCMT ref: 00713F98
GetDriveTypeW.KERNEL32(?), ref: 00713FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0071401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00714059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00714087

Strings

wait, xrefs: 00714044
open, xrefs: 00713F54, 00713F59
closed, xrefs: 00713F08, 00713F2D, 00713F46, 00713F7E, 00713F97
close cd wait, xrefs: 00714072
set cd door , xrefs: 00714028
open , xrefs: 00713FE5
type cdaudio alias cd wait, xrefs: 00714001
close, xrefs: 00713EFE, 00713F18

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: ab9e8bfca03f1ea8e441c0930039c115224e05723300a54e661ff40da77b01bf
Instruction ID: b2f5f228d7161358063233eb386e227c3e0e93b1ae60ade60dfdb9dae58bba99
Opcode Fuzzy Hash: ab9e8bfca03f1ea8e441c0930039c115224e05723300a54e661ff40da77b01bf
Instruction Fuzzy Hash: 727116716042119FC710EF28C8808ABB7F5FF99754F50492DF89693291EB39EE86CB91

Function 00705A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00705A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00705A40
SetWindowTextW.USER32(?,?), ref: 00705A57
GetDlgItem.USER32(?,000003EA), ref: 00705A6C
SetWindowTextW.USER32(00000000,?), ref: 00705A72
GetDlgItem.USER32(?,000003E9), ref: 00705A82
SetWindowTextW.USER32(00000000,?), ref: 00705A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00705AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00705AC3
GetWindowRect.USER32(?,?), ref: 00705ACC
_wcslen.LIBCMT ref: 00705B33
SetWindowTextW.USER32(?,?), ref: 00705B6F
GetDesktopWindow.USER32 ref: 00705B75
GetWindowRect.USER32(00000000), ref: 00705B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00705BD3
GetClientRect.USER32(?,?), ref: 00705BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00705C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00705C2F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: df828fa8ca5c9b4e111704212d0a16451a8e7fc70675f2063b2a30fdb3801170
Instruction ID: a7f0ba0414fb6a3f4688a86c95b30b8bd3e4a9ad2168c8c53ef6906392fdf5c2
Opcode Fuzzy Hash: df828fa8ca5c9b4e111704212d0a16451a8e7fc70675f2063b2a30fdb3801170
Instruction Fuzzy Hash: 0A715B71A00B09EFDB21DFA8CE85AAFBBF5FB48705F104618E542A25A0D779B940CF54

Function 0071FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0071FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0071FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0071FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0071FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0071FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0071FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0071FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0071FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0071FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0071FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0071FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0071FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0071FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0071FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0071FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0071FECC
GetCursorInfo.USER32(?), ref: 0071FEDC
GetLastError.KERNEL32 ref: 0071FF1E

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d1bb9249b9bb1696956445a5672ec8333662e768359f876d6ced987ef0cbec02
Instruction ID: 8d91b9724745959b210b131b1278899db2a1eca16388c6ba02aa911dc372aadd
Opcode Fuzzy Hash: d1bb9249b9bb1696956445a5672ec8333662e768359f876d6ced987ef0cbec02
Instruction Fuzzy Hash: C64153B0D043196ADB109FBA8C8585EBFE8FF04354B54452AF119E7281DB789941CF91

Function 007030F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0070318D
_wcslen.LIBCMT ref: 007031F8

Strings

TEXT, xrefs: 0070347C
CLASS, xrefs: 00703188, 007031A5
NAME, xrefs: 00703335, 00703346
[v, xrefs: 0070339A
REGEXPCLASS, xrefs: 00703255, 00703266
CLASSNN, xrefs: 007031F3, 00703204
INSTANCE, xrefs: 00703453

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[v
API String ID: 176396367-1498973047
Opcode ID: fb489e9b30dd849892a0c80b4373a2a85e11cc6008e24a4b33c8e2e44711596e
Instruction ID: e35c36b1c591e27cd6ea6f392cc483afc7db6fff1509190a343fc575a3dd775c
Opcode Fuzzy Hash: fb489e9b30dd849892a0c80b4373a2a85e11cc6008e24a4b33c8e2e44711596e
Instruction Fuzzy Hash: 9EE1D431A00516DACB149F74C851AFDFBF9BF44710F54832AE456A7290DB38AE859B90

Function 006C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006C00C6

Part of subcall function 006C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0077070C,00000FA0,16647B3A,?,?,?,?,006E23B3,000000FF), ref: 006C011C
Part of subcall function 006C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006E23B3,000000FF), ref: 006C0127
Part of subcall function 006C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006E23B3,000000FF), ref: 006C0138
Part of subcall function 006C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006C014E
Part of subcall function 006C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006C015C
Part of subcall function 006C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006C016A
Part of subcall function 006C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006C0195
Part of subcall function 006C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006C01A0

___scrt_fastfail.LIBCMT ref: 006C00E7

Part of subcall function 006C00A3: __onexit.LIBCMT ref: 006C00A9

Strings

kernel32.dll, xrefs: 006C0133
WakeAllConditionVariable, xrefs: 006C0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 006C0122
SleepConditionVariableCS, xrefs: 006C0154
InitializeConditionVariable, xrefs: 006C0148

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: de8e0d18c4adf8cbd96e308e1dc757f7fc8c2869b34189eb5ea3da1bce9af615
Instruction ID: a5888ccc8a98820219cced45beddc8f1cd22cae52f6d8abac09b494e955979fb
Opcode Fuzzy Hash: de8e0d18c4adf8cbd96e308e1dc757f7fc8c2869b34189eb5ea3da1bce9af615
Instruction Fuzzy Hash: DB21DAB2B44710EBFB115BB4AC09F797395DB04B91F15412DF805A2691DB789C008BD8

Function 007144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0073CC08), ref: 00714527
_wcslen.LIBCMT ref: 0071453B
_wcslen.LIBCMT ref: 00714599
_wcslen.LIBCMT ref: 007145F4
_wcslen.LIBCMT ref: 0071463F
_wcslen.LIBCMT ref: 007146A7

Part of subcall function 006BF9F2: _wcslen.LIBCMT ref: 006BF9FD

GetDriveTypeW.KERNEL32(?,00766BF0,00000061), ref: 00714743

Strings

network, xrefs: 0071469D, 007146A2
fixed, xrefs: 00714635, 0071463A
removable, xrefs: 007145EA, 007145EF
all, xrefs: 00714531, 00714536
unknown, xrefs: 00714708
cdrom, xrefs: 0071458F, 00714594
ramdisk, xrefs: 007146F1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: c659b4fdae1529582c7ee697ca3e4a77a64112879e951746d9c4c3c6dbbc1cc7
Instruction ID: 7c8642b8ad8156410f609ff5ccaa7c26a51d639d55cb7a21dadd2c1e889e42dc
Opcode Fuzzy Hash: c659b4fdae1529582c7ee697ca3e4a77a64112879e951746d9c4c3c6dbbc1cc7
Instruction Fuzzy Hash: CDB1C1716083029FC710EF28C890AAAB7E6BF96764F50491DF496C72D1D738DD84CBA2

Function 0073911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00739147

Part of subcall function 00737674: ClientToScreen.USER32(?,?), ref: 0073769A
Part of subcall function 00737674: GetWindowRect.USER32(?,?), ref: 00737710
Part of subcall function 00737674: PtInRect.USER32(?,?,00738B89), ref: 00737720

SendMessageW.USER32(?,000000B0,?,?), ref: 007391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00739225
SendMessageW.USER32(?,000000B0,?,?), ref: 0073923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00739255
SendMessageW.USER32(?,000000B1,?,?), ref: 00739277
DragFinish.SHELL32(?), ref: 0073927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00739371

Strings

@GUI_DRAGFILE, xrefs: 00739320
p#w, xrefs: 007392BB
@GUI_DRAGID, xrefs: 007392E9
@GUI_DROPID, xrefs: 0073929E

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#w
API String ID: 221274066-3190343874
Opcode ID: d3fb1cb54dd5c8ba8a8a23174f3f3a693c6d64c13b5219e8671ad1351c09b764
Instruction ID: 6a146d744b4a02d668d0a890b8ddb502a44986eb5701f0b23f5b94bb90e1f754
Opcode Fuzzy Hash: d3fb1cb54dd5c8ba8a8a23174f3f3a693c6d64c13b5219e8671ad1351c09b764
Instruction Fuzzy Hash: 7E618C71108300AFD701EF64CC85DAFBBE9EF89350F10492EF696921A1DB749A49CB66

Function 006A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00771990), ref: 006E2F8D
GetMenuItemCount.USER32(00771990), ref: 006E303D
GetCursorPos.USER32(?), ref: 006E3081
SetForegroundWindow.USER32(00000000), ref: 006E308A
TrackPopupMenuEx.USER32(00771990,00000000,?,00000000,00000000,00000000), ref: 006E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006E30A9

Strings

0, xrefs: 006A327D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 27db7f24dfc7793fad275cdee7a6979f22d1971fb1d823a5f4e0b6e4343d976b
Instruction ID: a35917a974580c276d3a451e2feb7ee5a3aa48f9d08ff189e56d33124a17e438
Opcode Fuzzy Hash: 27db7f24dfc7793fad275cdee7a6979f22d1971fb1d823a5f4e0b6e4343d976b
Instruction Fuzzy Hash: 58710531641366BAFB219F25CC59FEABF6AFF01364F204206F5146A2E1C7B5AE50CB50

Function 00736CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00736DEB

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00736E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00736E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00736E94
DestroyWindow.USER32(?), ref: 00736EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006A0000,00000000), ref: 00736EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00736EFD
GetDesktopWindow.USER32 ref: 00736F16
GetWindowRect.USER32(00000000), ref: 00736F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00736F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00736F4D

Part of subcall function 006B9944: GetWindowLongW.USER32(?,000000EB), ref: 006B9952

Strings

0, xrefs: 00736D98
tooltips_class32, xrefs: 00736E58, 00736EDD

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 3d393c0c3979a1ab3f32dcaa74c82878fad0bb1cbbe772b77faebff255571e6a
Instruction ID: cbf19c50416f8eacd9768b6c7b1d15fbbcbb566ad5a2f01af6a3405c7af597fa
Opcode Fuzzy Hash: 3d393c0c3979a1ab3f32dcaa74c82878fad0bb1cbbe772b77faebff255571e6a
Instruction Fuzzy Hash: 06718CB0104241AFEB21CF18DC44F6ABBE9FB89304F44841DFA8997261C778E946CF25

Function 0071C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0071C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0071C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0071C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0071C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0071C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0071C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0071C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0071C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0071C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0071C5F0
InternetCloseHandle.WININET(00000000), ref: 0071C5FB

Strings

, xrefs: 0071C575

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0b6aa25af4193ebeeb0f21235115f38f675d890097c8f47fb0bdbe1b5680cfbf
Instruction ID: a8c81926f7a46b35477e59bd5b25106e6e9514c512285e04fe0f483b4c416cdb
Opcode Fuzzy Hash: 0b6aa25af4193ebeeb0f21235115f38f675d890097c8f47fb0bdbe1b5680cfbf
Instruction Fuzzy Hash: EF5150B1540204BFEB228FA8C948ABB7BFDFF08755F108419F945D6290D738E994DB61

Function 0073856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00738592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385BA
GlobalLock.KERNEL32(00000000), ref: 007385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385D7
GlobalUnlock.KERNEL32(00000000), ref: 007385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0073FC38,?), ref: 00738611
GlobalFree.KERNEL32(00000000), ref: 00738621
GetObjectW.GDI32(?,00000018,?), ref: 00738641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00738671
DeleteObject.GDI32(?), ref: 00738699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007386AF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4e89b7d81ed9a8cbf3bd941fc0cda1d7aec282c5a6f435173de335317d07bedb
Instruction ID: d16cf362492bb70a7ba612d8194945870ac004bf9c61d0dd4e9d71c026ba0872
Opcode Fuzzy Hash: 4e89b7d81ed9a8cbf3bd941fc0cda1d7aec282c5a6f435173de335317d07bedb
Instruction Fuzzy Hash: 91410D75600208EFEB119F65DC49EAB7BB8FF89711F108058F905E7251DB389D01DB65

Function 007114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00711502
VariantCopy.OLEAUT32(?,?), ref: 0071150B
VariantClear.OLEAUT32(?), ref: 00711517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00711657
VariantInit.OLEAUT32(?), ref: 00711708
SysFreeString.OLEAUT32(?), ref: 0071178C
VariantClear.OLEAUT32(?), ref: 007117D8
VariantClear.OLEAUT32(?), ref: 007117E7
VariantInit.OLEAUT32(00000000), ref: 00711823

Strings

Default, xrefs: 007116AF
%4d%02d%02d%02d%02d%02d, xrefs: 00711625

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d048db5c19f6c1738431411584820de3a0af11f7dc0cf3185000e540554a2898
Instruction ID: 48bf4f79321529e19f64ee4ed2a3ea28910128334877b782ec46e91cfe466b23
Opcode Fuzzy Hash: d048db5c19f6c1738431411584820de3a0af11f7dc0cf3185000e540554a2898
Instruction Fuzzy Hash: D3D10271A00115DBDB10AF68D885BFDB7B6BF45700F90815AE646AF2C0DB38ED90DB62

Function 0072B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 0072C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072C9F1
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA68
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0072B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0072B80A
RegCloseKey.ADVAPI32(?), ref: 0072B87E
RegCloseKey.ADVAPI32(?), ref: 0072B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0072B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0072B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0072B922
FreeLibrary.KERNEL32(00000000), ref: 0072B983
RegCloseKey.ADVAPI32(00000000), ref: 0072B994

Strings

advapi32.dll, xrefs: 0072B8ED
RegDeleteKeyExW, xrefs: 0072B8FE

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 45bdbf43f32d3eea3d44f12cd31aa0f7959859ef907d3153a460da307cef9297
Instruction ID: 26ddfb0acd777ac6e62fff0523f6ba72261453c13f7c0729685052143c7b639e
Opcode Fuzzy Hash: 45bdbf43f32d3eea3d44f12cd31aa0f7959859ef907d3153a460da307cef9297
Instruction Fuzzy Hash: E9C18A34208211EFD714EF24D494F2ABBE5BF85318F14849CF59A8B2A2CB39EC45CB91

Function 0072255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007225E8
CreateCompatibleDC.GDI32(?), ref: 007225F4
SelectObject.GDI32(00000000,?), ref: 00722601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0072266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007226D0
SelectObject.GDI32(?,?), ref: 007226D8
DeleteObject.GDI32(?), ref: 007226E1
DeleteDC.GDI32(?), ref: 007226E8
ReleaseDC.USER32(00000000,?), ref: 007226F3

Strings

(, xrefs: 0072268D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 28959e4aa644d45aabf77e5765e627f1b25ad5d69624633a70bb64f4d8fe4cb5
Instruction ID: 07d1050877cc11105a2a609401beb319672b2a0132ba8ceeb2ea7621b33a2c02
Opcode Fuzzy Hash: 28959e4aa644d45aabf77e5765e627f1b25ad5d69624633a70bb64f4d8fe4cb5
Instruction Fuzzy Hash: 396113B6D00219EFDF15CFA4DC84AAEBBB6FF48310F208429E955A7250D774A941CF64

Function 006DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006DDAA1

Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD659
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD66B
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD67D
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD68F
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6A1
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6B3
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6C5
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6D7
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6E9
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6FB
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD70D
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD71F
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD731

_free.LIBCMT ref: 006DDA96

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DDAB8
_free.LIBCMT ref: 006DDACD
_free.LIBCMT ref: 006DDAD8
_free.LIBCMT ref: 006DDAFA
_free.LIBCMT ref: 006DDB0D
_free.LIBCMT ref: 006DDB1B
_free.LIBCMT ref: 006DDB26
_free.LIBCMT ref: 006DDB5E
_free.LIBCMT ref: 006DDB65
_free.LIBCMT ref: 006DDB82
_free.LIBCMT ref: 006DDB9A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5fd5e31266300c099d94a075196fd366224b7679fe77be2a5f088ddcea899e6e
Instruction ID: 2241e99c7f60839ffd07b0983069f4721184d4e85bf8db2cbbc6f475e360c975
Opcode Fuzzy Hash: 5fd5e31266300c099d94a075196fd366224b7679fe77be2a5f088ddcea899e6e
Instruction Fuzzy Hash: 87317C71E042069FEB61BA39E851B9A77EAFF10714F14442FE449DB391DA30AC409724

Function 0070365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0070369C
_wcslen.LIBCMT ref: 007036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00703797
GetClassNameW.USER32(?,?,00000400), ref: 0070380C
GetDlgCtrlID.USER32(?), ref: 0070385D
GetWindowRect.USER32(?,?), ref: 00703882
GetParent.USER32(?), ref: 007038A0
ScreenToClient.USER32(00000000), ref: 007038A7
GetClassNameW.USER32(?,?,00000100), ref: 00703921
GetWindowTextW.USER32(?,?,00000400), ref: 0070395D

Strings

%s%u, xrefs: 00703734

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 5882527444343c08f8870d8baa18486462216f06c8a5ee7a4e094bce5cd37010
Instruction ID: 89f6bc9b4187392357892ea569b0d5c0cf5bddd9b17231cc30a8a2463fdf7414
Opcode Fuzzy Hash: 5882527444343c08f8870d8baa18486462216f06c8a5ee7a4e094bce5cd37010
Instruction Fuzzy Hash: DE919B71204606EFD719DF24C885FAAB7EDFF44354F008629F99AD21D0DB38AA45CBA1

Function 00704954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00704994
GetWindowTextW.USER32(?,?,00000400), ref: 007049DA
_wcslen.LIBCMT ref: 007049EB
CharUpperBuffW.USER32(?,00000000), ref: 007049F7
_wcsstr.LIBVCRUNTIME ref: 00704A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00704A64
GetWindowTextW.USER32(?,?,00000400), ref: 00704A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00704AE6
GetClassNameW.USER32(?,?,00000400), ref: 00704B20
GetWindowRect.USER32(?,?), ref: 00704B8B

Strings

ThumbnailClass, xrefs: 00704A6F, 00704AF1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: aac4de95c8cab77682b795f1ee608b824ef2ef1c16f57eb1b3af3f3aa0e49fa8
Instruction ID: 20a7fd53d301464ebf5b319f36d6abe5837c4b62333b43f3676abb03d2940dc3
Opcode Fuzzy Hash: aac4de95c8cab77682b795f1ee608b824ef2ef1c16f57eb1b3af3f3aa0e49fa8
Instruction Fuzzy Hash: E591AAB2104205DBDB04DF14C985FAA77E9FF84314F048669FE869A0D6EB38ED45CBA1

Function 00738D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00738D5A
GetFocus.USER32 ref: 00738D6A
GetDlgCtrlID.USER32(00000000), ref: 00738D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00738E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00738ECF
GetMenuItemCount.USER32(?), ref: 00738EEC
GetMenuItemID.USER32(?,00000000), ref: 00738EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00738F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00738F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00738FA1

Strings

0, xrefs: 00738E9F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 92ce2a004f167a5a09dc6a10257e241957b069988202aa03b26a09345ebb5bfd
Instruction ID: df6afca90daaaad7b448a32b007ac2435954f39ed51c10d934c9f0ea8a7e9bf0
Opcode Fuzzy Hash: 92ce2a004f167a5a09dc6a10257e241957b069988202aa03b26a09345ebb5bfd
Instruction Fuzzy Hash: D281D171504311AFE761DF24C884EABBBE9FF88354F14491DF994A7292DB38D901CB62

Function 0070DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0070DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0070DC46
_wcslen.LIBCMT ref: 0070DC50
_wcsstr.LIBVCRUNTIME ref: 0070DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0070DCBC

Strings

04090000, xrefs: 0070DCF2
StringFileInfo\, xrefs: 0070DC8F
DefaultLangCodepage, xrefs: 0070DD1F
\VarFileInfo\Translation, xrefs: 0070DCB4
%u.%u.%u.%u, xrefs: 0070DD9A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 6c228a1a1151c6fddac6a32a526b39328d2bfb6b2858a25c2243fb502bb8ef4b
Instruction ID: 1353166559cd1df799a633989a1855b4db1f08779341b931730a1f67a6e6a75f
Opcode Fuzzy Hash: 6c228a1a1151c6fddac6a32a526b39328d2bfb6b2858a25c2243fb502bb8ef4b
Instruction Fuzzy Hash: BD41E5B2640311BAE751A7749C07EFF77ADEF41710F10016EF901A6192EA68DE0187B8

Function 0072CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0072CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0072CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0072CD48

Part of subcall function 0072CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0072CCAA
Part of subcall function 0072CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0072CCBD
Part of subcall function 0072CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0072CCCF
Part of subcall function 0072CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0072CD05
Part of subcall function 0072CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0072CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0072CCF3

Strings

advapi32.dll, xrefs: 0072CCB8
RegDeleteKeyExW, xrefs: 0072CCC9

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 0db65943e506dfa2b9233eaf691fc57c9065fd270cdc635b296a410a066b8676
Instruction ID: 0c9b937aa7d8f24096ba8d26a1e2a6fff004a54991274e09c13941841cd11a66
Opcode Fuzzy Hash: 0db65943e506dfa2b9233eaf691fc57c9065fd270cdc635b296a410a066b8676
Instruction Fuzzy Hash: 5C3180B5A01129BBE7228B61EC88EFFBB7CEF15741F004165A906E7140D6789E45EBB0

Function 00713D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00713D40
_wcslen.LIBCMT ref: 00713D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00713D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00713DBE
RemoveDirectoryW.KERNEL32(?), ref: 00713DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00713E55
CloseHandle.KERNEL32(00000000), ref: 00713E60
CloseHandle.KERNEL32(00000000), ref: 00713E6B

Strings

\, xrefs: 00713D77
:, xrefs: 00713D82
\??\%s, xrefs: 00713D5B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: e3bcbca982a7eb382fb0e68bf163bfe48c440bbff015d8767247c7f187a091ed
Instruction ID: eac3d8b3f59fef45a7e5a710ebc5217394ddbfa1b0c633dbd8f93175e87e6295
Opcode Fuzzy Hash: e3bcbca982a7eb382fb0e68bf163bfe48c440bbff015d8767247c7f187a091ed
Instruction Fuzzy Hash: 2031B6726002196BDB219BA4DC49FEF37BDEF88701F1040B9F545E6090E77897848B68

Function 0070E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0070E6B4

Part of subcall function 006BE551: timeGetTime.WINMM(?,?,0070E6D4), ref: 006BE555

Sleep.KERNEL32(0000000A), ref: 0070E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0070E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0070E727
SetActiveWindow.USER32 ref: 0070E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0070E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0070E773
Sleep.KERNEL32(000000FA), ref: 0070E77E
IsWindow.USER32 ref: 0070E78A
EndDialog.USER32(00000000), ref: 0070E79B

Strings

BUTTON, xrefs: 0070E719

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0768d6cdf5062dfb11b8bf8d5aaca7385c0550e05dfdfc736fd125d0d06750cd
Instruction ID: 93171b1712206e5081e77dfeca2b9b63a28fe41a93897102e2304d62b7997657
Opcode Fuzzy Hash: 0768d6cdf5062dfb11b8bf8d5aaca7385c0550e05dfdfc736fd125d0d06750cd
Instruction Fuzzy Hash: 652162B1300204EFFB016F24EC89A253BA9E75438AF649925F51AD15E2DB7E9C419B1C

Function 0070E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0070EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0070EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0070EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0070EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0070EAA7

Strings

status PlayMe mode, xrefs: 0070EA58
alias PlayMe, xrefs: 0070EA36
play PlayMe, xrefs: 0070EAA2
open , xrefs: 0070EA0C
play PlayMe wait, xrefs: 0070EA91
close PlayMe, xrefs: 0070EA6E, 0070EA9B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 47d6a27abeac35565e765330b665fab178ca5dd21412a2fde3a894cb0196904f
Instruction ID: 21f06329cda9b778a28cdace0f04dae0d0b8fd59f49b479479c9c48f8fd354af
Opcode Fuzzy Hash: 47d6a27abeac35565e765330b665fab178ca5dd21412a2fde3a894cb0196904f
Instruction Fuzzy Hash: 161151B1A5026979D760B7A1DC4ADFF6ABCEBD6B40F44492D7C02A20D1EEB41D05C9B0

Function 00705CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00705CE2
GetWindowRect.USER32(00000000,?), ref: 00705CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00705D59
GetDlgItem.USER32(?,00000002), ref: 00705D69
GetWindowRect.USER32(00000000,?), ref: 00705D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00705DCF
GetDlgItem.USER32(?,000003E9), ref: 00705DDD
GetWindowRect.USER32(00000000,?), ref: 00705DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00705E31
GetDlgItem.USER32(?,000003EA), ref: 00705E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00705E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00705E67

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1547be9a737c9d5d602bba1bee67d92656600df27243af717bb94b0a6708d430
Instruction ID: ce2b3d0d3c1415c9c796c776691cb8db9f6b9eabeb194525eeb7501763ea1241
Opcode Fuzzy Hash: 1547be9a737c9d5d602bba1bee67d92656600df27243af717bb94b0a6708d430
Instruction Fuzzy Hash: CA510CB1B00619AFDB18CF68DD89AAEBBF5EB48301F148229F915E6290D7749E00CF54

Function 006B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006B8BE8,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006B8FC5

DestroyWindow.USER32(?), ref: 006B8C81
KillTimer.USER32(00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 006F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006B8BBA,00000000), ref: 006F69D4
DeleteObject.GDI32(00000000), ref: 006F69E6

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 37abb6adb3420ff4155ff221bedf60567fbedc66a8be02f435baf2750aafea36
Instruction ID: 09191c7d0aa15586a177b0927d198bc55e3bc274aaf94f232fb08bde55e344d2
Opcode Fuzzy Hash: 37abb6adb3420ff4155ff221bedf60567fbedc66a8be02f435baf2750aafea36
Instruction Fuzzy Hash: 5861DCB1002705DFDB268F18C948BB57BF6FB40352F54881CE2469B660CB79A8D2DF98

Function 006B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006B9944: GetWindowLongW.USER32(?,000000EB), ref: 006B9952

GetSysColor.USER32(0000000F), ref: 006B9862

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 487991aaa57c3c6f9039ef20de7dbde451259fc43dda6daf6b6b59d2b775b7b2
Instruction ID: 532dc5fb92832fb5d5a0eadc8579d4cc0adcefe79de17b875be8637deeeacd59
Opcode Fuzzy Hash: 487991aaa57c3c6f9039ef20de7dbde451259fc43dda6daf6b6b59d2b775b7b2
Instruction Fuzzy Hash: 7841B7B11046549FDB215F389C44BF937B6EB06331F148A15FBA29B2E1D7359C82DB20

Function 006D8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.l, xrefs: 006D903A, 006D8FD0, 006D8FF2

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID: .l
API String ID: 0-3986846653
Opcode ID: 59540dcf72021866e132638e56e921c181195679fc3f0a28d7aede32c3bfa57b
Instruction ID: 80de434d18419b0b9bcf76c353f935900dc36dbb56afd15ded32821f958e2ad2
Opcode Fuzzy Hash: 59540dcf72021866e132638e56e921c181195679fc3f0a28d7aede32c3bfa57b
Instruction Fuzzy Hash: 86C1D274E04349AFDB21EFA8D845BEDBBB2AF09310F14409EE519A7392C7349A41CB75

Function 007096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,006EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00709717
LoadStringW.USER32(00000000,?,006EF7F8,00000001), ref: 00709720

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,006EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00709742
LoadStringW.USER32(00000000,?,006EF7F8,00000001), ref: 00709745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00709866

Strings

^ ERROR, xrefs: 007097FB
Line %d:, xrefs: 007097A0
Line %d (File "%s"):, xrefs: 0070978F
Error: , xrefs: 0070981D
%s (%d) : ==> %s: %s %s, xrefs: 0070984A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 65b4403151893cc0ce8081c277139b354a54062e4f80a194e9a9298820a39961
Instruction ID: 023cf2a8adb630f5aa765e847e8de1e92dd9b3e287cbeca3f5f2a566147aaa5a
Opcode Fuzzy Hash: 65b4403151893cc0ce8081c277139b354a54062e4f80a194e9a9298820a39961
Instruction Fuzzy Hash: E8415D72800219AACF44FBE0CD46DEE7779AF56340F604129F60672192EB396F48CF65

Function 007006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00700804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0070082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00700837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0070083C

Strings

\CLSID, xrefs: 00700724
SOFTWARE\Classes\, xrefs: 0070070E
\IPC$, xrefs: 00700784

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: d2adfb4593ba3f92ed5fc0639386b9b1c40914a4c0398bdf7808bd971f773b40
Instruction ID: 98cbc07952619a108fbf98ae40bea86ad9c0b5faf3c9919b3635668f953cfc1b
Opcode Fuzzy Hash: d2adfb4593ba3f92ed5fc0639386b9b1c40914a4c0398bdf7808bd971f773b40
Instruction Fuzzy Hash: ED41E876C10229ABDF15EBA4DC959EDB7B9BF04350F548129F901B31A1EB386E04CFA4

Function 00723C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00723C5C
CoInitialize.OLE32(00000000), ref: 00723C8A
CoUninitialize.OLE32 ref: 00723C94
_wcslen.LIBCMT ref: 00723D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00723DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00723ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00723F0E
CoGetObject.OLE32(?,00000000,0073FB98,?), ref: 00723F2D
SetErrorMode.KERNEL32(00000000), ref: 00723F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00723FC4
VariantClear.OLEAUT32(?), ref: 00723FD8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: efb8a052176dfaa1f3780c307f2432312f212d68e27b91b93c1a0818348204bf
Instruction ID: 0fccdbae1fd119ef4e8f2053d6fc6fc9f89a7b06983b7c31fa3b62385ebbdf2d
Opcode Fuzzy Hash: efb8a052176dfaa1f3780c307f2432312f212d68e27b91b93c1a0818348204bf
Instruction Fuzzy Hash: 6DC155B16083159FD700DF28D88492BBBE9FF89744F14491DF98A9B251DB38EE05CB62

Function 00717A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00717AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00717B8F
SHGetDesktopFolder.SHELL32(?), ref: 00717BA3
CoCreateInstance.OLE32(0073FD08,00000000,00000001,00766E6C,?), ref: 00717BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00717C74
CoTaskMemFree.OLE32(?,?), ref: 00717CCC
SHBrowseForFolderW.SHELL32(?), ref: 00717D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00717D7A
CoTaskMemFree.OLE32(00000000), ref: 00717D81
CoTaskMemFree.OLE32(00000000), ref: 00717DD6
CoUninitialize.OLE32 ref: 00717DDC

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 13c49278de470c3cbb6c61b866d2105e3b06258cd8a630428f85ef7c2c0f139d
Instruction ID: 5f2caa4b14e47d6aa8d28aec5fe113e3bb43394e212fdf976c19ac044a58aa10
Opcode Fuzzy Hash: 13c49278de470c3cbb6c61b866d2105e3b06258cd8a630428f85ef7c2c0f139d
Instruction Fuzzy Hash: DFC11D75A04109AFDB14DFA8C884DAEBBF9FF48314B148499F4169B261D734EE81CB94

Function 0073541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00735504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00735515
CharNextW.USER32(00000158), ref: 00735544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00735585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0073559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007355AC

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e22e272857cb044f7f7160e7ab893d10d3d1b5b06c64c22bb5b08d891d5b1450
Instruction ID: 90af93be2cb8b022c471e2b8ac513b0572b6398aff42435419e9a645adb513f4
Opcode Fuzzy Hash: e22e272857cb044f7f7160e7ab893d10d3d1b5b06c64c22bb5b08d891d5b1450
Instruction Fuzzy Hash: AE61AE71900608EFEF11CF54CC85EFE7BB9EB09721F108185F925AB292D7789A80DB60

Function 006FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 006FFB08
VariantInit.OLEAUT32(?), ref: 006FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 006FFB3A
VariantCopy.OLEAUT32(?,?), ref: 006FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 006FFBA1
VariantClear.OLEAUT32(?), ref: 006FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 006FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006FFBCC
VariantClear.OLEAUT32(?), ref: 006FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006FFBE9

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 20f3b729237dfad8943410177adfc1ce87c93b93e4fd8b438b8ff33ed7d79a96
Instruction ID: e078e6f5603ad9849c64ebcb3b2633accb5d8bd4e1d682895176e0d8dcea8601
Opcode Fuzzy Hash: 20f3b729237dfad8943410177adfc1ce87c93b93e4fd8b438b8ff33ed7d79a96
Instruction Fuzzy Hash: 2F417F75A00219DFDB01DFA4D8549FEBBBAFF48355F008069E906A7261CB34E945CF94

Function 00709C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00709CA1
GetAsyncKeyState.USER32(000000A0), ref: 00709D22
GetKeyState.USER32(000000A0), ref: 00709D3D
GetAsyncKeyState.USER32(000000A1), ref: 00709D57
GetKeyState.USER32(000000A1), ref: 00709D6C
GetAsyncKeyState.USER32(00000011), ref: 00709D84
GetKeyState.USER32(00000011), ref: 00709D96
GetAsyncKeyState.USER32(00000012), ref: 00709DAE
GetKeyState.USER32(00000012), ref: 00709DC0
GetAsyncKeyState.USER32(0000005B), ref: 00709DD8
GetKeyState.USER32(0000005B), ref: 00709DEA

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 57ccbee1011ca9feea5a136210d65e4beda19bcd0e7cecbb5c325b6e9f053f87
Instruction ID: 92f293f097615694c1789cbddde2a3241243b7a725fda32facb2519f65b7909d
Opcode Fuzzy Hash: 57ccbee1011ca9feea5a136210d65e4beda19bcd0e7cecbb5c325b6e9f053f87
Instruction Fuzzy Hash: 2C41B634A447C9E9FF719670C8143B6BEE06B11344F04825ADBC6566C3EBAD9DC8C7A2

Function 0072055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007205BC
inet_addr.WSOCK32(?), ref: 0072061C
gethostbyname.WSOCK32(?), ref: 00720628
IcmpCreateFile.IPHLPAPI ref: 00720636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007207B9
WSACleanup.WSOCK32 ref: 007207BF

Strings

Ping, xrefs: 00720676

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8522cfc39f94474b1cbaba5bf5b56c197cdca6d37ea6607def3999b09cecca3b
Instruction ID: 1f4ed49a9cb1899eae5e6b3ef855c946830810131129e30cceca05b6d3eb42ae
Opcode Fuzzy Hash: 8522cfc39f94474b1cbaba5bf5b56c197cdca6d37ea6607def3999b09cecca3b
Instruction Fuzzy Hash: 2891AB756042119FD720DF25D888F1ABBE1AF84318F1485A9E46A9B7A3C738ED41CFE1

Function 00728CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00728CF3

Part of subcall function 00708E54: _wcslen.LIBCMT ref: 00708E77

_wcslen.LIBCMT ref: 00728D4E
_wcslen.LIBCMT ref: 00728D9C
_wcslen.LIBCMT ref: 00728DDC
_wcslen.LIBCMT ref: 00728E6E

Strings

none, xrefs: 00728E65, 00728E6A
winapi, xrefs: 00728D96, 00728D9B
stdcall, xrefs: 00728DD6, 00728DDB
cdecl, xrefs: 00728D48, 00728D4D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 0f6e200cd89405d6e4af7a3332a021c776df68370e370910cf02b04de1825688
Instruction ID: 06872e39c8b8560d81ce58ebde4335d04ce5b39d2afb3e38ba6e2608555a47fe
Opcode Fuzzy Hash: 0f6e200cd89405d6e4af7a3332a021c776df68370e370910cf02b04de1825688
Instruction Fuzzy Hash: 8551E331A010269BCF54DF68D8409BEB3A6BF64320B21422DE826E72C4DF3ADE40C7D1

Function 0072372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00723774
CoUninitialize.OLE32 ref: 0072377F
CoCreateInstance.OLE32(?,00000000,00000017,0073FB78,?), ref: 007237D9
IIDFromString.OLE32(?,?), ref: 0072384C
VariantInit.OLEAUT32(?), ref: 007238E4
VariantClear.OLEAUT32(?), ref: 00723936

Strings

Invalid parameter, xrefs: 00723865
NULL Pointer assignment, xrefs: 0072381E
Failed to create object, xrefs: 007237E4, 0072389A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e78ad9cb6ebb624dea5391508255bd14ad7d1f203189877708f7a237f266ddff
Instruction ID: 1f140a66f901ba3adf75d22ea42fe651205d546bb1909c302e517c8908270e66
Opcode Fuzzy Hash: e78ad9cb6ebb624dea5391508255bd14ad7d1f203189877708f7a237f266ddff
Instruction Fuzzy Hash: A361C0B0608311AFD711DF64D888B5AB7E4EF45715F00490DF9859B291C778EE88CBA6

Function 00738B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

Part of subcall function 006B912D: GetCursorPos.USER32(?), ref: 006B9141
Part of subcall function 006B912D: ScreenToClient.USER32(00000000,?), ref: 006B915E
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000001), ref: 006B9183
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000002), ref: 006B919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00738B6B
ImageList_EndDrag.COMCTL32 ref: 00738B71
ReleaseCapture.USER32 ref: 00738B77
SetWindowTextW.USER32(?,00000000), ref: 00738C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00738C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00738CFF

Strings

@GUI_DRAGFILE, xrefs: 00738C9A
p#w, xrefs: 00738C71
@GUI_DROPID, xrefs: 00738C51

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#w
API String ID: 1924731296-3001469106
Opcode ID: 46f194e23a2ba9eb70de107e37b96ee1a21018a1b60aac7b3fd2ffe6191c1256
Instruction ID: b5341687aa79529d9299e683c6b4ef86a06adf6ec78cb8b5453c9d2208f437eb
Opcode Fuzzy Hash: 46f194e23a2ba9eb70de107e37b96ee1a21018a1b60aac7b3fd2ffe6191c1256
Instruction Fuzzy Hash: DA51AB71104300AFE744EF14CC56FAA77E5FB88754F500A2DF956672A2CB38AD44CB66

Function 00713388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007133CF

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007133F0

Strings

^ ERROR , xrefs: 0071349E
Line %d (File "%s"):, xrefs: 00713443, 0071345C
"%s" (%d) : ==> %s:, xrefs: 00713522
Error: , xrefs: 007134D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00713504
Incorrect parameters to object property !, xrefs: 007134AB

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 936e0dad7d1d9912625a7c6e2a628bdb1ce4686af8f55e75014514e21eedea73
Instruction ID: ed6d138c3b4ab56edce7148075b5cc6fdc3ab87c445aefb6642113da85adfdf2
Opcode Fuzzy Hash: 936e0dad7d1d9912625a7c6e2a628bdb1ce4686af8f55e75014514e21eedea73
Instruction Fuzzy Hash: 5F51B171900219AADF15FBE4CD46EEEB77AAF05340F208169F50572192EB392F98CF64

Function 0070B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0070B5FC
_wcslen.LIBCMT ref: 0070B608
_wcslen.LIBCMT ref: 0070B64D
_wcslen.LIBCMT ref: 0070B68C
_wcslen.LIBCMT ref: 0070B6C7

Strings

REMOVE, xrefs: 0070B602, 0070B607
EXISTS, xrefs: 0070B686, 0070B68B
KEYS, xrefs: 0070B647, 0070B64C
APPEND, xrefs: 0070B6C1, 0070B6C6

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: fc40188086dcc1cd9922ce4b2d55b2b762788f66d9d80785cc3666b0a53e2a3e
Instruction ID: 89ca35bd5fff78b5340541af568d081aafcf514b034fa57b8bdb6bd6253d5a7f
Opcode Fuzzy Hash: fc40188086dcc1cd9922ce4b2d55b2b762788f66d9d80785cc3666b0a53e2a3e
Instruction Fuzzy Hash: B341B832A00127DBCB109F7DC9905BE77E5AFA1754B244329E421D72C4E73ADE81C790

Function 00715393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00715416
GetLastError.KERNEL32 ref: 00715420
SetErrorMode.KERNEL32(00000000,READY), ref: 007154A7

Strings

NOTREADY, xrefs: 0071544B
INVALID, xrefs: 00715459
UNKNOWN, xrefs: 00715444
READY, xrefs: 00715460, 00715468
READONLY, xrefs: 00715452

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 748bff583db323e255dc96ee28856e78d7bc5826458d5af7398b0d8833eee2b1
Instruction ID: 93bb8d85a1fdda8415c42295477e62a0b07ed1eb83275ca903575777937c4282
Opcode Fuzzy Hash: 748bff583db323e255dc96ee28856e78d7bc5826458d5af7398b0d8833eee2b1
Instruction Fuzzy Hash: 74319175A00544DFDB15DF6CC484AEABBB4EB85305F148069E806DB292DB79DDC2CB90

Function 00733C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00733C79
SetMenu.USER32(?,00000000), ref: 00733C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00733D10
IsMenu.USER32(?), ref: 00733D24
CreatePopupMenu.USER32 ref: 00733D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00733D5B
DrawMenuBar.USER32 ref: 00733D63

Strings

0, xrefs: 00733C54
F, xrefs: 00733D4E

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: e9ef6bcc79f4e52a0af9a81768c8dbead1f1f8e0a994d16f872552191ae3b3b5
Instruction ID: 976f7a6cfdd6f2c0672049957f521d7e7493629230e4ed02b9f99a8798f8105d
Opcode Fuzzy Hash: e9ef6bcc79f4e52a0af9a81768c8dbead1f1f8e0a994d16f872552191ae3b3b5
Instruction Fuzzy Hash: 18415A75A01209EFEB24CF64D844EEA7BB5FF49351F144029F946A7361D738AA10CF98

Function 00701EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 00703CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00703CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00701F64
GetDlgCtrlID.USER32 ref: 00701F6F
GetParent.USER32 ref: 00701F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00701F8E
GetDlgCtrlID.USER32(?), ref: 00701F97
GetParent.USER32(?), ref: 00701FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00701FAE

Strings

ComboBox, xrefs: 00701EEC
ListBox, xrefs: 00701F21

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b70f8ec588be28c8b4fc3f51866d6cd1f288df413c090c61ecf06833112166ed
Instruction ID: 5f07ab6e58458d76e2b90035e81ffb5f3f495aeca0833ac3397cc109abaca512
Opcode Fuzzy Hash: b70f8ec588be28c8b4fc3f51866d6cd1f288df413c090c61ecf06833112166ed
Instruction Fuzzy Hash: 8921AC70900214EBDF05AFA0CC859EEBBB9EB06350B104699F965A72E1CB3859089B74

Function 00733A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00733A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00733AA0
GetWindowLongW.USER32(?,000000F0), ref: 00733AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00733AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00733B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00733BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00733BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00733BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00733BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00733C13

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b40c9b3d6230b53eaee41c653c4d98b7ef231eccf5d3bd65ba042a6881c4ea3c
Instruction ID: a11150e97f13d5b5dbf2ffd50b4b9c74b9a5fdb52fdac4bcf2b3625e6eb90e94
Opcode Fuzzy Hash: b40c9b3d6230b53eaee41c653c4d98b7ef231eccf5d3bd65ba042a6881c4ea3c
Instruction Fuzzy Hash: 79617D75900248AFEB20DF68CC81EEE77F8EB09710F104199FA15A7292C778AE41DF64

Function 0070B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0070B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B165
GetWindowThreadProcessId.USER32(00000000), ref: 0070B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0070B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B21D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c19b095c3c2776c4a2e917dd6e60a45c120aa0caea465f94d01a01952b147986
Instruction ID: a32f9a9979e26fdb766e5fdf216458563967755f0b1c92a65465791a6d0bed34
Opcode Fuzzy Hash: c19b095c3c2776c4a2e917dd6e60a45c120aa0caea465f94d01a01952b147986
Instruction Fuzzy Hash: 9A318F71500204FFEB119F64DD49B6D7BAABB61352F108505FA05DA290D7BC9A80CF68

Function 006D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006D2C94

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006D2CA0
_free.LIBCMT ref: 006D2CAB
_free.LIBCMT ref: 006D2CB6
_free.LIBCMT ref: 006D2CC1
_free.LIBCMT ref: 006D2CCC
_free.LIBCMT ref: 006D2CD7
_free.LIBCMT ref: 006D2CE2
_free.LIBCMT ref: 006D2CED
_free.LIBCMT ref: 006D2CFB

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 91aeb876b91b726c453f3214f33234a4221cc2fbec9301540820de16c16316fa
Instruction ID: 5015f72caaf0c024dd6eaedebfbea3f59ebfa463672c92ce45f735d2a507113b
Opcode Fuzzy Hash: 91aeb876b91b726c453f3214f33234a4221cc2fbec9301540820de16c16316fa
Instruction Fuzzy Hash: 75111936900009BFCB42EF55D862CDC3BA6FF15740F4140AAF9485F322D631EE50AB94

Function 00717DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00717FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00717FC1
GetFileAttributesW.KERNEL32(?), ref: 00717FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00718005
SetCurrentDirectoryW.KERNEL32(?), ref: 00718017
SetCurrentDirectoryW.KERNEL32(?), ref: 00718060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007180B0

Strings

*.*, xrefs: 00718066

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: a15ce9d94b8b58914ebce3cd239984e36968b056bea74f070292c6680f8176f3
Instruction ID: 3b61ff165b02fcefad8c227adb6eb1bd314d220fc802885d8a8c2af155fefd5f
Opcode Fuzzy Hash: a15ce9d94b8b58914ebce3cd239984e36968b056bea74f070292c6680f8176f3
Instruction Fuzzy Hash: A38191725082459BCB64EF18C8449EAB3E9BF89310F544C5EF885D7290EB39DD89CB92

Function 006A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006A5C7A

Part of subcall function 006A5D0A: GetClientRect.USER32(?,?), ref: 006A5D30
Part of subcall function 006A5D0A: GetWindowRect.USER32(?,?), ref: 006A5D71
Part of subcall function 006A5D0A: ScreenToClient.USER32(?,?), ref: 006A5D99

GetDC.USER32 ref: 006E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006E4708
SelectObject.GDI32(00000000,00000000), ref: 006E4716
SelectObject.GDI32(00000000,00000000), ref: 006E472B
ReleaseDC.USER32(?,00000000), ref: 006E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006E47C4

Strings

U, xrefs: 006E4693

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 512fbc915a7322a96d65c21b812269f718e23596ff8565475da9bf4ab28a92d7
Instruction ID: c22b05684d697f7fe04141d7f5569891b7ff2ede4b07c546cf9655bea53542b1
Opcode Fuzzy Hash: 512fbc915a7322a96d65c21b812269f718e23596ff8565475da9bf4ab28a92d7
Instruction Fuzzy Hash: 9B71CD30401345DFCF21DF74C984AEA7BB2FF4A361F144269E9565A2AACB319C82DF90

Function 0071359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007135E4

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

LoadStringW.USER32(00772390,?,00000FFF,?), ref: 0071360A

Strings

^ ERROR, xrefs: 007136C9
Line %d (File "%s"):, xrefs: 0071366B
"%s" (%d) : ==> %s:, xrefs: 00713742
Error: , xrefs: 007136EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00713724

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: b06b2000ff1b3ec56495f0cc6cdc586b95d3990b6a39ca0df600b32b30128b16
Instruction ID: be7bf439f065b4c640ec8e08fa4edfdf51c871f74ca5afa7acb7289665bcfbd6
Opcode Fuzzy Hash: b06b2000ff1b3ec56495f0cc6cdc586b95d3990b6a39ca0df600b32b30128b16
Instruction Fuzzy Hash: 96518FB1800219EADF15FBA4CC42EEEBB75AF05340F544129F505721A2EB392F98DFA4

Function 0071C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0071C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0071C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0071C2CA
GetLastError.KERNEL32 ref: 0071C322
SetEvent.KERNEL32(?), ref: 0071C336
InternetCloseHandle.WININET(00000000), ref: 0071C341

Strings

, xrefs: 0071C2BB

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 86f8d5355da47556c05b85840b0d647799e2a4829a9f64e2ad0bbc3c5c204e5d
Instruction ID: 6559f531024e42978254b67b2c239eca9e29991b874c7bc24e16382bc1094b9b
Opcode Fuzzy Hash: 86f8d5355da47556c05b85840b0d647799e2a4829a9f64e2ad0bbc3c5c204e5d
Instruction Fuzzy Hash: 673180B1540204AFE7239FA9CC88AEB7BFCEB49744F14851DF456E2280DB38DD849B65

Function 0070989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006E3AAF,?,?,Bad directive syntax error,0073CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007098BC
LoadStringW.USER32(00000000,?,006E3AAF,?), ref: 007098C3

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00709987

Strings

Line %d:, xrefs: 00709912
%s (%d) : ==> %s.: %s %s, xrefs: 007098F1
Line %d (File "%s"):, xrefs: 0070992D
Error: , xrefs: 00709955
., xrefs: 0070996D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: afc04908c6c40bffb50b17e4f21532f6af190008052a0b3ec2f678626d951249
Instruction ID: 644f0d99014f300660f22fb862e2a3b1ee7608d21894a3d3f5b3b8494a584c98
Opcode Fuzzy Hash: afc04908c6c40bffb50b17e4f21532f6af190008052a0b3ec2f678626d951249
Instruction Fuzzy Hash: 0721B471800229EBDF56AF90CC06EED7776FF15300F044419F515610A2EB39AA18DF64

Function 0070209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0070214D

Strings

SHELLDLL_DefView, xrefs: 007020CC
details, xrefs: 007020FB
smallicons, xrefs: 00702115
largeicons, xrefs: 007020E1
list, xrefs: 0070212F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: cb3dd148be3a2d1e2d9393882f92fe4bcf8eaffb1fe7f836ede81ef0a58cf22b
Instruction ID: 0e5e920af8b72ea89eb3d96b20863d65e4089beea5e58a1b8eafce7c2a13a083
Opcode Fuzzy Hash: cb3dd148be3a2d1e2d9393882f92fe4bcf8eaffb1fe7f836ede81ef0a58cf22b
Instruction Fuzzy Hash: 7611E3B768870AF9FA156724DC0FDB677DCCB05324F20021AFA09A50D2FEAD68436618

Function 006DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 006DCEB7
_free.LIBCMT ref: 006DCF22
_free.LIBCMT ref: 006DCF48
_free.LIBCMT ref: 006DCF71
_free.LIBCMT ref: 006DCFA9
_free.LIBCMT ref: 006DCFDA
_free.LIBCMT ref: 006DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 006DD09C
_free.LIBCMT ref: 006DD0B5

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: f462333f70164177f7e99ab6f076648f54889a298670233d29115b16ec38caa0
Instruction ID: 4c652a9834890ed6955a9da9e7a706e8e5f392c5ea3da29b377eee0bc58fdc36
Opcode Fuzzy Hash: f462333f70164177f7e99ab6f076648f54889a298670233d29115b16ec38caa0
Instruction Fuzzy Hash: 726155B1E0430AAFDB31AFB89891AEA7BA7EF05360F04416FF9049B381D6359D01D794

Function 006B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 006F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006B8874,00000000,00000000,00000000,000000FF,00000000), ref: 006F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006B8874,00000000,00000000,00000000,000000FF,00000000), ref: 006F692D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 21e0632b76b7af677b7fe89d124d513be1d3380bbe24bf65551fd8cd22cd5a28
Instruction ID: bba1db82c3bd76affe1b14ab5b36dc21a6e1a477601148fccfe895481a6df5c9
Opcode Fuzzy Hash: 21e0632b76b7af677b7fe89d124d513be1d3380bbe24bf65551fd8cd22cd5a28
Instruction Fuzzy Hash: E2517CB0600209EFDB20CF28CC55FEA7BBAFB54750F108518FA56A72A0DB74E991DB54

Function 0071C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0071C182
GetLastError.KERNEL32 ref: 0071C195
SetEvent.KERNEL32(?), ref: 0071C1A9

Part of subcall function 0071C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0071C272
Part of subcall function 0071C253: GetLastError.KERNEL32 ref: 0071C322
Part of subcall function 0071C253: SetEvent.KERNEL32(?), ref: 0071C336
Part of subcall function 0071C253: InternetCloseHandle.WININET(00000000), ref: 0071C341

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cfcce74d80790283386f86c1b43ee4b7b5807260ae73d4804deefc63a00fbf28
Instruction ID: c98105f0a032b7c1509cfe44425f76bb7a3aecc378138c9263674867e96ba227
Opcode Fuzzy Hash: cfcce74d80790283386f86c1b43ee4b7b5807260ae73d4804deefc63a00fbf28
Instruction Fuzzy Hash: A131A171280605FFDB229FE9DC08AABBBF8FF18301B04841DF95696650C739E854EB60

Function 007025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00703A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00703A57
Part of subcall function 00703A3D: GetCurrentThreadId.KERNEL32 ref: 00703A5E
Part of subcall function 00703A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007025B3), ref: 00703A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00702601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00702605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0070260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00702623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00702627

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2747f31ce07b262d645feec44f8d86326b66ef054f3e1d43f121ece7ee439f5f
Instruction ID: 80e536fd6f987216c85067f47560be7cae3d69f282c02d3d04ab7a66e8591247
Opcode Fuzzy Hash: 2747f31ce07b262d645feec44f8d86326b66ef054f3e1d43f121ece7ee439f5f
Instruction Fuzzy Hash: 0601D471390214FBFB1067689C8FF593F99DB4EB12F104041F318BE1D1C9EA28459A6D

Function 00701803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00701449,?,?,00000000), ref: 0070180C
HeapAlloc.KERNEL32(00000000,?,00701449,?,?,00000000), ref: 00701813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00701449,?,?,00000000), ref: 00701828
GetCurrentProcess.KERNEL32(?,00000000,?,00701449,?,?,00000000), ref: 00701830
DuplicateHandle.KERNEL32(00000000,?,00701449,?,?,00000000), ref: 00701833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00701449,?,?,00000000), ref: 00701843
GetCurrentProcess.KERNEL32(00701449,00000000,?,00701449,?,?,00000000), ref: 0070184B
DuplicateHandle.KERNEL32(00000000,?,00701449,?,?,00000000), ref: 0070184E
CreateThread.KERNEL32(00000000,00000000,00701874,00000000,00000000,00000000), ref: 00701868

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 31f612eb8b1474b28fb1fab3494bca63557e7b71dd44d12f4a2cb41eed22cc61
Instruction ID: fd5595887c1c65e50484738cc03c983366734f66792c93b63480ba7debaf8736
Opcode Fuzzy Hash: 31f612eb8b1474b28fb1fab3494bca63557e7b71dd44d12f4a2cb41eed22cc61
Instruction Fuzzy Hash: 1301A8B5240308BFF611ABA5DC4AF6B3BACEB89B11F418411FA05EB1A1CA7498109B24

Function 006D3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006D3F0B
__alldvrm.LIBCMT ref: 006D410C
__alldvrm.LIBCMT ref: 006D412E

Strings

}}l, xrefs: 006D3E96, 006D3EF1, 006D3F0A, 006D4090
}}l, xrefs: 006D40CD
}}l, xrefs: 006D3E8A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}l$}}l$}}l
API String ID: 1036877536-1371562550
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 462cf3d6d5a47fb16cae025299b797074d9adad7452ebc33da206fbb3a505080
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 8DA12571D003969FDB258F18CC917BEBBE6EF65350F18416EE5859B381CA348D81C751

Function 0072A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0070D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0070D501
Part of subcall function 0070D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0070D50F
Part of subcall function 0070D4DC: CloseHandle.KERNELBASE(00000000), ref: 0070D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0072A16D
GetLastError.KERNEL32 ref: 0072A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0072A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0072A268
GetLastError.KERNEL32(00000000), ref: 0072A273
CloseHandle.KERNEL32(00000000), ref: 0072A2C4

Strings

SeDebugPrivilege, xrefs: 0072A18F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4516a569daa54ea498427d5192a66bdde6aedbd8a1a9c71ecf45c0224fba508b
Instruction ID: e7c9d1da8b9dfdc674ac521ec4b0b57778e8cd753dbcbf8bfa8b91acb2d8fc3e
Opcode Fuzzy Hash: 4516a569daa54ea498427d5192a66bdde6aedbd8a1a9c71ecf45c0224fba508b
Instruction Fuzzy Hash: 56619D71204252EFD720DF18D894F15BBE1AF84318F18849CE4668B7A3C77AEC45CB96

Function 00733886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00733925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0073393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00733954
_wcslen.LIBCMT ref: 00733999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007339F4

Strings

SysListView32, xrefs: 007338F7

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 379a2d54a08924458e048856163053defc2a8d8410610b2bee7024368f8e8c27
Instruction ID: bdb029c2347e80aa6162bfe96e142aaa74afeb96ea40b181d30af296462ac3de
Opcode Fuzzy Hash: 379a2d54a08924458e048856163053defc2a8d8410610b2bee7024368f8e8c27
Instruction Fuzzy Hash: 4541A271A00318EBEB219F64CC49FEA77A9EF08354F10456AF958E7282D7799D80CB94

Function 0070BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0070BCFD
IsMenu.USER32(00000000), ref: 0070BD1D
CreatePopupMenu.USER32 ref: 0070BD53
GetMenuItemCount.USER32(00CA5658), ref: 0070BDA4
InsertMenuItemW.USER32(00CA5658,?,00000001,00000030), ref: 0070BDCC

Strings

2, xrefs: 0070BD37
0, xrefs: 0070BCA8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: e15940d0c594f4b55b1a0e3cfc0f76022ed774fbb8575c9eb6f826f8def59dbd
Instruction ID: e781e6b422de8a4c6050cc2fe2abd404de3dd0132d502059472d1c8185f3da29
Opcode Fuzzy Hash: e15940d0c594f4b55b1a0e3cfc0f76022ed774fbb8575c9eb6f826f8def59dbd
Instruction Fuzzy Hash: 25518C70B00206DBDB11DFA8D888BAEFBF4EF45314F248359E851A72D1D778AA41CB61

Function 006C2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 006C2D53
_ValidateLocalCookies.LIBCMT ref: 006C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 006C2E0C
_ValidateLocalCookies.LIBCMT ref: 006C2E61

Strings

csm, xrefs: 006C2DF6
&Hl, xrefs: 006C2DFE, 006C2E07, 006C2E18

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hl$csm
API String ID: 1170836740-4116197483
Opcode ID: 7a3317b2834f6507b164700657ab0c313f73f2ce6f2bd3ed6dbee2f93cf0141c
Instruction ID: 0d29d31292b4b29cb9f6e7581d01cb0436a767d86ae912dcaf92a35d2315130d
Opcode Fuzzy Hash: 7a3317b2834f6507b164700657ab0c313f73f2ce6f2bd3ed6dbee2f93cf0141c
Instruction Fuzzy Hash: 8F417D34A0121AABCF10DF68C855FEEBBA6FF45324F14815DEC156B392D735AA058BD0

Function 0070C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0070C913

Strings

info, xrefs: 0070C8B4
blank, xrefs: 0070C895
warning, xrefs: 0070C8FC
question, xrefs: 0070C8CC
stop, xrefs: 0070C8E4

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a99b4ab2531d7ed9893fed863820c7daf0af2be6086a4a7e6e969445636f30c9
Instruction ID: 5397dc70f6aeb85e6fe6bfdccfcf3bec69056bdb712c17351fd9099dda0895ba
Opcode Fuzzy Hash: a99b4ab2531d7ed9893fed863820c7daf0af2be6086a4a7e6e969445636f30c9
Instruction Fuzzy Hash: 0B113D31699306FEE7069B549C83DAA37DCDF15314B50432EF904A62C2EB7CAD00526C

Function 0070DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0070DE42
gethostname.WSOCK32(?,00000100), ref: 0070DE5C
gethostbyname.WSOCK32(?), ref: 0070DE69
inet_ntoa.WSOCK32(?), ref: 0070DEAB
_strcat.LIBCMT ref: 0070DEB9
WSACleanup.WSOCK32 ref: 0070DEDE

Strings

0.0.0.0, xrefs: 0070DE87

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: ade314f901ca6fb728f2b57c0bc3dad358642405e9c79b18ba366e91363e1cbc
Instruction ID: 05f11d72f8f1613af4b593d073e4609de50fcb24021d9376ef182d994bae4e1f
Opcode Fuzzy Hash: ade314f901ca6fb728f2b57c0bc3dad358642405e9c79b18ba366e91363e1cbc
Instruction Fuzzy Hash: C4110672904215EBDB31AB60DC0AEEE77ADDF14711F00026DF405AA0D1EF798E818B64

Function 0070ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0070ED2A
_wcslen.LIBCMT ref: 0070ED3B
_wcslen.LIBCMT ref: 0070ED79
_wcslen.LIBCMT ref: 0070EDAF
_wcslen.LIBCMT ref: 0070EDDF
_wcslen.LIBCMT ref: 0070EDEF
_wcslen.LIBCMT ref: 0070EE2B
_wcslen.LIBCMT ref: 0070EE5A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: b61a9f75af1a684bfbb5d59f464a6e812829a6b16625da331b88d4e9504bc262
Instruction ID: f22307143735fd4b2f16dd9c98649b12660cd00f7627b35eb66948724ecfb1a6
Opcode Fuzzy Hash: b61a9f75af1a684bfbb5d59f464a6e812829a6b16625da331b88d4e9504bc262
Instruction Fuzzy Hash: C641B265D10118A5DB51EBB4C88AEEFB3A9EF05300F00896AF518E3162FB38D345C3E9

Function 006BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 006BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 006FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 006FF454

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e8f5aa203bc6a2a8a10804c7c3fe70f936736e9c5dc57fed03ee6af826dc8fd7
Instruction ID: a8adc72360d65884a754bca8c39e32ccc1f5614dd7fced4218077cc905cd815a
Opcode Fuzzy Hash: e8f5aa203bc6a2a8a10804c7c3fe70f936736e9c5dc57fed03ee6af826dc8fd7
Instruction Fuzzy Hash: C44127B1208684FAD739AB2C8C887FA7B93AF46310F14843CF18762771C636A8C1CB51

Function 00732D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00732D1B
GetDC.USER32(00000000), ref: 00732D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00732D2E
ReleaseDC.USER32(00000000,00000000), ref: 00732D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00732D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00732D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00735A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00732DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00732DE1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 21e64d54f580702d1a1912796979b2912e3c9ee8f7556491cd1969573bea250e
Instruction ID: 78f5528b231cea22f1daed53db4f97907a23b58769e11783f317945fc296fe3b
Opcode Fuzzy Hash: 21e64d54f580702d1a1912796979b2912e3c9ee8f7556491cd1969573bea250e
Instruction Fuzzy Hash: 81317F72211214BFFB154F50CC8AFEB3BA9EF09715F048055FE48AA292C6799C51C7A4

Function 00705622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00705637
_memcmp.LIBVCRUNTIME ref: 00705659
_memcmp.LIBVCRUNTIME ref: 00705671
_memcmp.LIBVCRUNTIME ref: 00705684
_memcmp.LIBVCRUNTIME ref: 0070569E
_memcmp.LIBVCRUNTIME ref: 007056B1
_memcmp.LIBVCRUNTIME ref: 007056C9
_memcmp.LIBVCRUNTIME ref: 007056E4

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c4c3895884d6902ef942380dfa778056d4f62e6c0861534c8b480569b1c4c115
Instruction ID: ed8518851f9937a7f8cf0e73158f05d70b28eb6d072aabc40216d14ec0fcbfd0
Opcode Fuzzy Hash: c4c3895884d6902ef942380dfa778056d4f62e6c0861534c8b480569b1c4c115
Instruction Fuzzy Hash: 4421ADA1A40A05F7E31455218E52FBB33DDEF22784F440128FD099E5C2FB69DD108DB9

Function 00724FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0072502E, 00725383
Not an Object type, xrefs: 00725007

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 664df58bac0a404ea03c38a7b63e3d143772a44824f5d702f882811de7f2fd46
Instruction ID: be65074d9d011d5332834c9a3381afebb6b6310c2413ef7623a9d95b09fbb76b
Opcode Fuzzy Hash: 664df58bac0a404ea03c38a7b63e3d143772a44824f5d702f882811de7f2fd46
Instruction Fuzzy Hash: 2ED1C1B1A0061ADFDF10CFA8D885BAEB7B5FF48354F148069E915AB281E774DD41CBA0

Function 006E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006E15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006E17FB,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E16FB

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E1777
__freea.LIBCMT ref: 006E17A2
__freea.LIBCMT ref: 006E17AE

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0bd21dbb0cf52d9fe9ed0fea10904a6379a7212a2e1d18384357711c23731383
Instruction ID: 053613ba5cfd1afc2df840d98f663bdbc245760dc1cddd83b12b0a8d95f016c0
Opcode Fuzzy Hash: 0bd21dbb0cf52d9fe9ed0fea10904a6379a7212a2e1d18384357711c23731383
Instruction Fuzzy Hash: 3791C3B1E023969ADF208F66C851EEE7BB7AF46710F184659E801EF281D735CC41E760

Function 00724523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00724648
VariantInit.OLEAUT32(?), ref: 00724749
VariantClear.OLEAUT32(?), ref: 00724753
VariantClear.OLEAUT32(?), ref: 007247B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0072472C
Null Object assignment in FOR..IN loop, xrefs: 007245D8, 00724706, 007247BE

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: b946831b10df05a4c1fbaf996168a34bc73f13ae6a0469b848ec52d3ae1b0eaa
Instruction ID: 4cf698dd3b6620254701e5ce9f2517a139e1c297c23de639e96a39c7dc35b9e4
Opcode Fuzzy Hash: b946831b10df05a4c1fbaf996168a34bc73f13ae6a0469b848ec52d3ae1b0eaa
Instruction Fuzzy Hash: 6B918171A00229AFDF24CFA5DC44FAEBBB8EF46714F108559F515AB280D7789941CFA0

Function 00711187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0071125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00711284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0071135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00711430

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: f31c3a48f4ecefccced34a172be7571b725b5cdf1586ef6a78d524e5cd3a3a27
Instruction ID: 20c32ee22c62c093d157fcdc517d76fdd788cc21333e279b8b39031b0eb59e6a
Opcode Fuzzy Hash: f31c3a48f4ecefccced34a172be7571b725b5cdf1586ef6a78d524e5cd3a3a27
Instruction Fuzzy Hash: E991E271A00219AFDB00DF98D885BFEB7B5FF45721F508029EA11EB2D1D778A981CB94

Function 006B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 060ccb2ee82987efa59744b60244de6ada397a5d839e018a3480cc62bb8cfb1f
Instruction ID: f1f73779abcdb90fa9237277cb0e0ef1bdf9e94e8bb647d57fe949b4803e9e43
Opcode Fuzzy Hash: 060ccb2ee82987efa59744b60244de6ada397a5d839e018a3480cc62bb8cfb1f
Instruction Fuzzy Hash: 5F913BB1D40219EFCB15CFA9CC84AEEBBB9FF49320F148059E615B7251D374A982CB60

Function 00723947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0072396B
CharUpperBuffW.USER32(?,?), ref: 00723A7A
_wcslen.LIBCMT ref: 00723A8A
VariantClear.OLEAUT32(?), ref: 00723C1F

Part of subcall function 00710CDF: VariantInit.OLEAUT32(00000000), ref: 00710D1F
Part of subcall function 00710CDF: VariantCopy.OLEAUT32(?,?), ref: 00710D28
Part of subcall function 00710CDF: VariantClear.OLEAUT32(?), ref: 00710D34

Strings

AUTOIT.ERROR, xrefs: 00723A80, 00723A85
Incorrect Parameter format, xrefs: 007239A6, 00723BA1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 807fb4f8ab2b726ef544ba4cd6d092ec740c7875d8ea8f86ba290c674639e059
Instruction ID: 4b3fc35fff0fc3c59555560437e6400fe5faa93f1c9d424c32ed5b72e1484e55
Opcode Fuzzy Hash: 807fb4f8ab2b726ef544ba4cd6d092ec740c7875d8ea8f86ba290c674639e059
Instruction Fuzzy Hash: AD9166746083119FC704EF24D48096AB7E5FF89314F14892EF88A9B351DB38EE45CB92

Function 00724BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0070000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?,?,0070035E), ref: 0070002B
Part of subcall function 0070000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700046
Part of subcall function 0070000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700054
Part of subcall function 0070000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?), ref: 00700064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00724C51
_wcslen.LIBCMT ref: 00724D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00724DCF
CoTaskMemFree.OLE32(?), ref: 00724DDA

Strings

NULL Pointer assignment, xrefs: 00724E23, 00724E52

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b51ecef038ccbd38a433ad4c069716e5cfb62183e03e6dc19531fdd0384018c5
Instruction ID: 2d972757bc61be8a74bc4331ec10abe0a83991ea254c3b8180d4324193865d4a
Opcode Fuzzy Hash: b51ecef038ccbd38a433ad4c069716e5cfb62183e03e6dc19531fdd0384018c5
Instruction Fuzzy Hash: 2D910971D00229EFDF15DFA4D891AEEB7B9BF08310F10856AE915A7251DB385E44CFA0

Function 007320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00732183
GetMenuItemCount.USER32(00000000), ref: 007321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007321DD
_wcslen.LIBCMT ref: 00732213
GetMenuItemID.USER32(?,?), ref: 0073224D
GetSubMenu.USER32(?,?), ref: 0073225B

Part of subcall function 00703A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00703A57
Part of subcall function 00703A3D: GetCurrentThreadId.KERNEL32 ref: 00703A5E
Part of subcall function 00703A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007025B3), ref: 00703A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007322E3

Part of subcall function 0070E97B: Sleep.KERNEL32 ref: 0070E9F3

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b152ae0a5c8086941a94e887f6c0f9271b110d10f817665804c1be9bf360c10d
Instruction ID: 48a4ffd9677a205a698f53098e47c5e565d72c94340dd1854a8564764a8b04ca
Opcode Fuzzy Hash: b152ae0a5c8086941a94e887f6c0f9271b110d10f817665804c1be9bf360c10d
Instruction Fuzzy Hash: D7717E75A00215AFDB50EF64C845AAEB7F6FF48320F158459E816EB352DB38ED428B90

Function 0070AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0070AEF9
GetKeyboardState.USER32(?), ref: 0070AF0E
SetKeyboardState.USER32(?), ref: 0070AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0070AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0070AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0070AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0070B020

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 562dbea45ba3720b32106ed05d119fbb03117ef5bdc4d022f46278852cb80c52
Instruction ID: 5af64caa691d1c780f31e34b272149469f4f245caaf63240a0c6be01b7eabebf
Opcode Fuzzy Hash: 562dbea45ba3720b32106ed05d119fbb03117ef5bdc4d022f46278852cb80c52
Instruction Fuzzy Hash: 2051A2A0A047D6BDFB368334C84ABBA7EE95B06304F088689E1D9954C2D3DDE9C4D751

Function 0070ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0070AD19
GetKeyboardState.USER32(?), ref: 0070AD2E
SetKeyboardState.USER32(?), ref: 0070AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0070ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0070ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0070AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0070AE38

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bbf24b6ab80b1705db1f14724aaeffbcd4678d2b9f969c13a15c6e35449f7dd4
Instruction ID: 345acf2d2f74b8651942f5a3dc7ab91e1c2cd0cc49bfa87746b1b1390eda0b59
Opcode Fuzzy Hash: bbf24b6ab80b1705db1f14724aaeffbcd4678d2b9f969c13a15c6e35449f7dd4
Instruction Fuzzy Hash: 4451F7A16047D5BDFB338334CC56B7A7ED86B46300F088689E1D5968C3D29CEC84D752

Function 006D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(006E3CD6,?,?,?,?,?,?,?,?,006D5BA3,?,?,006E3CD6,?,?), ref: 006D5470
__fassign.LIBCMT ref: 006D54EB
__fassign.LIBCMT ref: 006D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,006E3CD6,00000005,00000000,00000000), ref: 006D552C
WriteFile.KERNEL32(?,006E3CD6,00000000,006D5BA3,00000000,?,?,?,?,?,?,?,?,?,006D5BA3,?), ref: 006D554B
WriteFile.KERNEL32(?,?,00000001,006D5BA3,00000000,?,?,?,?,?,?,?,?,?,006D5BA3,?), ref: 006D5584

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1f1c9bb40a2e63211fbfca2685581d01184dfe4484dd49998e0e1bf380629c8d
Instruction ID: 759ec3d598dfe65c3ad4ded032a45f4138b2588563cd040cc8e747528efee185
Opcode Fuzzy Hash: 1f1c9bb40a2e63211fbfca2685581d01184dfe4484dd49998e0e1bf380629c8d
Instruction Fuzzy Hash: C651B3B0D006499FDB11CFA8D845AEEBBFAEF08300F14415BE556E7391D7309A41CB65

Function 007210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0072304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0072307A
Part of subcall function 0072304E: _wcslen.LIBCMT ref: 0072309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00721112
WSAGetLastError.WSOCK32 ref: 00721121
WSAGetLastError.WSOCK32 ref: 007211C9
closesocket.WSOCK32(00000000), ref: 007211F9

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6ae594c1e3409d2b775c7461588f2d98b90439a5b099fb24fb77ec991209e64f
Instruction ID: 8adc47329c5d5c59a927bfc6424079651e1060218b62abe84e53a533798ca9e9
Opcode Fuzzy Hash: 6ae594c1e3409d2b775c7461588f2d98b90439a5b099fb24fb77ec991209e64f
Instruction Fuzzy Hash: 02410531600218AFEB109F24D884BAAB7EAFF45324F148059FD05AB291C778EE41CBE5

Function 0070CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0070CF22,?), ref: 0070DDFD

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0070CF22,?), ref: 0070DE16

lstrcmpiW.KERNEL32(?,?), ref: 0070CF45
MoveFileW.KERNEL32(?,?), ref: 0070CF7F
_wcslen.LIBCMT ref: 0070D005
_wcslen.LIBCMT ref: 0070D01B
SHFileOperationW.SHELL32(?), ref: 0070D061

Strings

\*.*, xrefs: 0070CFF3

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 8d526313c7a5c12f0b947688db0c93e41c12b11fc7c52503f9f2e49809e83fe0
Instruction ID: c13e68fd87053f4d8a7eaaa549f85896c476a52fc288dc65f71b8621323c325a
Opcode Fuzzy Hash: 8d526313c7a5c12f0b947688db0c93e41c12b11fc7c52503f9f2e49809e83fe0
Instruction Fuzzy Hash: C34167B2905219DEDF13EBA4C981EDE77F9AF08340F1001EAE505EB181EA38AA44CB55

Function 00732DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00732E1C
GetWindowLongW.USER32(?,000000F0), ref: 00732E4F
GetWindowLongW.USER32(?,000000F0), ref: 00732E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00732EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00732EE0
GetWindowLongW.USER32(?,000000F0), ref: 00732EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00732F0B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8c6d17dc958f42e2cf9ebbc6e55f6a79d041fe3382acef8e9bf7f1e8905e551a
Instruction ID: 76db978d6e769c84067033f324c9ee14d6fbff4cbc8a2148b6f0e9aa67095b33
Opcode Fuzzy Hash: 8c6d17dc958f42e2cf9ebbc6e55f6a79d041fe3382acef8e9bf7f1e8905e551a
Instruction Fuzzy Hash: 99311731684150DFEB21CF18DC8AF6537E0EB4A751F1541A4FA049B2B3CB79A842DB45

Function 00707726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00707769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0070778F
SysAllocString.OLEAUT32(00000000), ref: 00707792
SysAllocString.OLEAUT32(?), ref: 007077B0
SysFreeString.OLEAUT32(?), ref: 007077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007077DE
SysAllocString.OLEAUT32(?), ref: 007077EC

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 16e9aef8b1bfc48fa48ff0e4364d554cf5e1967384aa677d5848b04da33a014a
Instruction ID: a6928a013bee1aee457e16a0ed4330ed4b4b0f351dfada62be0ffc17531d0ad5
Opcode Fuzzy Hash: 16e9aef8b1bfc48fa48ff0e4364d554cf5e1967384aa677d5848b04da33a014a
Instruction Fuzzy Hash: 6621B076A04219AFEB14DFA8CC88CBB77ECEB093A47008125FA04DB1A0D678EC41C764

Function 007077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00707842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00707868
SysAllocString.OLEAUT32(00000000), ref: 0070786B
SysAllocString.OLEAUT32 ref: 0070788C
SysFreeString.OLEAUT32 ref: 00707895
StringFromGUID2.OLE32(?,?,00000028), ref: 007078AF
SysAllocString.OLEAUT32(?), ref: 007078BD

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 55f6460abf53fc8941ef2b1a78fa6aece9a8dbb8c5456d96ba1cdb59b5ae74c1
Instruction ID: 7cd648e3d8cf3b33a522bfb6e4e216e582d084012d02953b53b93b2bcc2e807a
Opcode Fuzzy Hash: 55f6460abf53fc8941ef2b1a78fa6aece9a8dbb8c5456d96ba1cdb59b5ae74c1
Instruction Fuzzy Hash: 04216272A04214EFEB149FA8DC88DAA77ECEB09760710C125F915DB2E1D678EC41CB68

Function 007104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0071052E

Strings

nul, xrefs: 00710567

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: fddf2355c5058bce4486b9952db17387d516fa23ac733b0d0dfb1c519947d7f3
Instruction ID: 5f04e9a20080c1ec9dcfeb4dbcf02e13dc6bc6cf77c1bdd166513f94d98461c3
Opcode Fuzzy Hash: fddf2355c5058bce4486b9952db17387d516fa23ac733b0d0dfb1c519947d7f3
Instruction Fuzzy Hash: BD217C71500305ABDB209F2DD848E9A7BA5BF44724F204A19F8A1E62E0D7B499E0CFA0

Function 007105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00710601

Strings

nul, xrefs: 00710639

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: dfbfad0468ffc6e8bcc520c3e816463e8ae478d258f1554e5d9c7b105aa299ae
Instruction ID: cdc5b89cfc07720f88b4c32979d691bceb091cd3394304172d78b494e3893902
Opcode Fuzzy Hash: dfbfad0468ffc6e8bcc520c3e816463e8ae478d258f1554e5d9c7b105aa299ae
Instruction Fuzzy Hash: 692181755003059BDB209F6D8C08ADAB7E4BF95720F204A19F8A1E72E0D7F498E0CBA4

Function 007340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006A604C
Part of subcall function 006A600E: GetStockObject.GDI32(00000011), ref: 006A6060
Part of subcall function 006A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00734112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0073411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0073412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00734139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00734145

Strings

Msctls_Progress32, xrefs: 007340E3

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3b67930b96aad6c048eced31f2c3a8eb16204ed3e19d8b3fcf056ee4ae68246a
Instruction ID: e5897f150d34c940104e9483c438d16bfd265cfff8e7a658432f03a8aa321854
Opcode Fuzzy Hash: 3b67930b96aad6c048eced31f2c3a8eb16204ed3e19d8b3fcf056ee4ae68246a
Instruction Fuzzy Hash: A811B2B214021DBEFF119F64CC86EE77F9DEF09798F014111FA18A2050CA769C61DBA4

Function 006DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006DD7A3: _free.LIBCMT ref: 006DD7CC

_free.LIBCMT ref: 006DD82D

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DD838
_free.LIBCMT ref: 006DD843
_free.LIBCMT ref: 006DD897
_free.LIBCMT ref: 006DD8A2
_free.LIBCMT ref: 006DD8AD
_free.LIBCMT ref: 006DD8B8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ae1737402aa4f2e1c42d28d22f158373e10cff8cb4e5ac7750636e3560ccc2c7
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 2F115171D40B04AAD5A1BFB1CC57FCB7BDE6F10700F40082EB29DAA292DA65F5055654

Function 0070DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0070DA74
LoadStringW.USER32(00000000), ref: 0070DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0070DA91
LoadStringW.USER32(00000000), ref: 0070DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0070DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0070DAB9

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 906dca424b36607cd39f02499c6253d79990df22a7b7ab38104c5c07f05be353
Instruction ID: 32f1d5f5e915cb5b907f9210c162172224690028935f5a7afc2b83e10af9664a
Opcode Fuzzy Hash: 906dca424b36607cd39f02499c6253d79990df22a7b7ab38104c5c07f05be353
Instruction Fuzzy Hash: 2E0186F2500208BFF7119BE09D89EE7376CE708702F408595B706F2081EA789E844F79

Function 0071096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00C9E238,00C9E238), ref: 0071097B
EnterCriticalSection.KERNEL32(00C9E218,00000000), ref: 0071098D
TerminateThread.KERNEL32(?,000001F6), ref: 0071099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007109A9
CloseHandle.KERNEL32(?), ref: 007109B8
InterlockedExchange.KERNEL32(00C9E238,000001F6), ref: 007109C8
LeaveCriticalSection.KERNEL32(00C9E218), ref: 007109CF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e58bf839b264876abd9a234e37eb554efc8647ae7c98f27b9b397cde9b71ec3f
Instruction ID: 8c6b6f0de25a4443ce0867c9e17626147ee2b0c1d3b87b96bc7c6fec7de5cc56
Opcode Fuzzy Hash: e58bf839b264876abd9a234e37eb554efc8647ae7c98f27b9b397cde9b71ec3f
Instruction Fuzzy Hash: D2F0E131442512BBE7525F94EE8DBD67B35FF05703F405015F101608A1C7B9A4B5CF94

Function 00721C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00721DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00721DE1
WSAGetLastError.WSOCK32 ref: 00721DF2
htons.WSOCK32(?,?,?,?,?), ref: 00721EDB
inet_ntoa.WSOCK32(?), ref: 00721E8C

Part of subcall function 007039E8: _strlen.LIBCMT ref: 007039F2

Part of subcall function 00723224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0071EC0C), ref: 00723240

_strlen.LIBCMT ref: 00721F35

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 7658bff8d4a41b7051cc84dfa90bde8f4f3256c3fbef8b9977e0bdd8e01030f9
Instruction ID: f0847b8f905e44355049ebc4cccfeeeec4cd0dff6fdc49f977982c83b97d0294
Opcode Fuzzy Hash: 7658bff8d4a41b7051cc84dfa90bde8f4f3256c3fbef8b9977e0bdd8e01030f9
Instruction Fuzzy Hash: 82B11370604310AFD324EF24D895E2A7BE6BF95318F94894CF4565B2E2CB35EE42CB91

Function 006A5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006A5D30
GetWindowRect.USER32(?,?), ref: 006A5D71
ScreenToClient.USER32(?,?), ref: 006A5D99
GetClientRect.USER32(?,?), ref: 006A5ED7
GetWindowRect.USER32(?,?), ref: 006A5EF8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 587cac25553be253fea79cee2550e28b4aa4b0173d4af40b07cf0f5dc0679b38
Instruction ID: 418d5a21ed12bb4e738c1aad96213641f1e10427d069abcaa5495dc1f08e89dd
Opcode Fuzzy Hash: 587cac25553be253fea79cee2550e28b4aa4b0173d4af40b07cf0f5dc0679b38
Instruction Fuzzy Hash: 66B15975A0078ADBDB10DFB9C4406EAB7F2FF58310F14841AE8AAD7250DB34AA51DB54

Function 006D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006D00D6
__allrem.LIBCMT ref: 006D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006D010B
__allrem.LIBCMT ref: 006D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006D0140

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 789a52e1028e7f1ce8ce85cde3e47e64e10823ee33a71b96b7d7798503dec9e1
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0481C072E00706ABE720AF69CC41BAA73EBEF41364F25452FF561DA381E770D9018B94

Function 006D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006C82D9,006C82D9,?,?,?,006D644F,00000001,00000001,8BE85006), ref: 006D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006D644F,00000001,00000001,8BE85006,?,?,?), ref: 006D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006D63D8
__freea.LIBCMT ref: 006D63E5

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

__freea.LIBCMT ref: 006D63EE
__freea.LIBCMT ref: 006D6413

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 1fe672017f0bda59fc074049c300804b3ab928fbc8a9a43dadb8d586c9973ed2
Instruction ID: 52ee46a50e8334df4862fd95ac41680d42a5a37cb441d13014d47e8fe0f600f4
Opcode Fuzzy Hash: 1fe672017f0bda59fc074049c300804b3ab928fbc8a9a43dadb8d586c9973ed2
Instruction Fuzzy Hash: 3051D072E00216ABEB268F64DC81EEF77ABEB44710F16462AFC05D6341EB34DD45D6A0

Function 0072BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 0072C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072C9F1
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA68
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0072BD25
RegCloseKey.ADVAPI32(00000000), ref: 0072BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0072BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0072BDF3
RegCloseKey.ADVAPI32(?), ref: 0072BDFF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 5a7f18acd22f1d8d0aca397d0cd64966d37527bcfc1bd92c00abab10e1e8439c
Instruction ID: ed8eea9986c740c8ae9d95de936788bb45a6bc4a84a548048df9f209b004d93a
Opcode Fuzzy Hash: 5a7f18acd22f1d8d0aca397d0cd64966d37527bcfc1bd92c00abab10e1e8439c
Instruction Fuzzy Hash: AF81BE70208241EFD714EF24C885E6ABBE5FF85308F14895CF5598B2A2DB35ED45CB92

Function 006FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 006FF7B9
SysAllocString.OLEAUT32(00000001), ref: 006FF860
VariantCopy.OLEAUT32(006FFA64,00000000), ref: 006FF889
VariantClear.OLEAUT32(006FFA64), ref: 006FF8AD
VariantCopy.OLEAUT32(006FFA64,00000000), ref: 006FF8B1
VariantClear.OLEAUT32(?), ref: 006FF8BB

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 7ba29c73352f563b590be9afb2943e6ce94894f1ca8dc6ce204630b2801f4971
Instruction ID: d7c64717ca9e711501c74fa2ddc60f75761eba35b8a0e113c3b581251bdc3910
Opcode Fuzzy Hash: 7ba29c73352f563b590be9afb2943e6ce94894f1ca8dc6ce204630b2801f4971
Instruction Fuzzy Hash: 0951F831900318BADF50AB65D895B79B3E6EF45310F24946AEA05DF292DBB08C40DB5A

Function 0071910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007194E5
_wcslen.LIBCMT ref: 00719506
_wcslen.LIBCMT ref: 0071952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00719585

Strings

X, xrefs: 00719412

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 9c228ef952071fc314363cebff7593ac23f34debb7df06c88b7025e7a006bf84
Instruction ID: 2e02a88b6813bc8c88317358e3e81313078fec609979288877b9987abfe9c298
Opcode Fuzzy Hash: 9c228ef952071fc314363cebff7593ac23f34debb7df06c88b7025e7a006bf84
Instruction Fuzzy Hash: 44E1D3315083508FC754EF28C891AAAB7E2FF85310F04896DF9899B2A2DB34DD45CF96

Function 006B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

BeginPaint.USER32(?,?,?), ref: 006B9241
GetWindowRect.USER32(?,?), ref: 006B92A5
ScreenToClient.USER32(?,?), ref: 006B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006B92D3
EndPaint.USER32(?,?,?,?,?), ref: 006B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006F71EA

Part of subcall function 006B9339: BeginPath.GDI32(00000000), ref: 006B9357

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c501c6ed83dd6a9fad047e68fecc3fdbccfbc98245513abb4e077f358239d57b
Instruction ID: 3c6e25b24d591463cdaf6206e5965cbe718b3010e48983869e98a454fd3ed942
Opcode Fuzzy Hash: c501c6ed83dd6a9fad047e68fecc3fdbccfbc98245513abb4e077f358239d57b
Instruction Fuzzy Hash: 7E41C1B1104200AFE721DF28CC85FFA7BEAEB45365F144229FB54872A1C735A886DB65

Function 007107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0071080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00710847
EnterCriticalSection.KERNEL32(?), ref: 00710863
LeaveCriticalSection.KERNEL32(?), ref: 007108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00710921

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: f9091d218d81c4f2e4afa04d1b25093b812151dc8e896530e2219ce1a68cc316
Instruction ID: 0a8c6d9686b3b9422ae59fcbca002a3fefadf65a7765d12b45b9dc9547e0eca7
Opcode Fuzzy Hash: f9091d218d81c4f2e4afa04d1b25093b812151dc8e896530e2219ce1a68cc316
Instruction Fuzzy Hash: F6418F71900205EFEF159F64DC85AAA7779FF04310F1480A9ED00AA297DB74DEA1DBA8

Function 007381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,006FF3AB,00000000,?,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 0073824C
EnableWindow.USER32(?,00000000), ref: 00738272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007382D1
ShowWindow.USER32(?,00000004), ref: 007382E5
EnableWindow.USER32(?,00000001), ref: 0073830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0073832F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b9fa229399d35af0fe82b54af20d07901401f384d477d1d683704f66a7255ec2
Instruction ID: 5b01173f9f9967c7808c4eb6c40fedb8ad9e81251fbe962e16c84ef4c7a8cbb0
Opcode Fuzzy Hash: b9fa229399d35af0fe82b54af20d07901401f384d477d1d683704f66a7255ec2
Instruction Fuzzy Hash: 89418334601744EFEB51CF15C899BA97BE0FB0A715F1881A9FA085B263CB39A841CF56

Function 00704C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00704C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00704CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00704CEA
_wcslen.LIBCMT ref: 00704D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00704D10
_wcsstr.LIBVCRUNTIME ref: 00704D1A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 1373e3c9ae3d7137837d915f2c7a85e0d5e2e1bbb8578195b62f4b9e07fbd2cc
Instruction ID: 521dbc064bc53a50380c7fa3bd8637cbedfb95b810c1ed48a1c957ec6566653b
Opcode Fuzzy Hash: 1373e3c9ae3d7137837d915f2c7a85e0d5e2e1bbb8578195b62f4b9e07fbd2cc
Instruction Fuzzy Hash: 4A2107B2204210FBFB155B35DC0AE7B7BDDDF45750F10816DFA05DA1A1DA69CC4187A0

Function 0071581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

_wcslen.LIBCMT ref: 0071587B
CoInitialize.OLE32(00000000), ref: 00715995
CoCreateInstance.OLE32(0073FCF8,00000000,00000001,0073FB68,?), ref: 007159AE
CoUninitialize.OLE32 ref: 007159CC

Strings

.lnk, xrefs: 00715876, 007158C1, 00715985

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 8f8e6ddf9889d78515379b070bc369a78d2c9b481c6870302f632d54227c8f23
Instruction ID: 137735d03595a2aa69c6ee58a0cc5311992da1911c35e416161e86b15c9d16c1
Opcode Fuzzy Hash: 8f8e6ddf9889d78515379b070bc369a78d2c9b481c6870302f632d54227c8f23
Instruction Fuzzy Hash: 1DD147B1608601DFC718EF18C48096ABBE6EF89710F14895DF8859B3A1DB35ED85CF92

Function 0070175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00700FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00700FCA
Part of subcall function 00700FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00700FD6
Part of subcall function 00700FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00700FE5
Part of subcall function 00700FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00700FEC
Part of subcall function 00700FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00701002

GetLengthSid.ADVAPI32(?,00000000,00701335), ref: 007017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007017BA
HeapAlloc.KERNEL32(00000000), ref: 007017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007017DA
GetProcessHeap.KERNEL32(00000000,00000000,00701335), ref: 007017EE
HeapFree.KERNEL32(00000000), ref: 007017F5

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1d63d78fc175b11c6b8fe4461b7278477d8ad7056a4aab54db4a0387bb6e1bef
Instruction ID: 971a0dec10232068bce6180b2b804788b6a84a1d694141d6bbf6459ad85e56b3
Opcode Fuzzy Hash: 1d63d78fc175b11c6b8fe4461b7278477d8ad7056a4aab54db4a0387bb6e1bef
Instruction Fuzzy Hash: 5E11BE72500205FFEB159FA4CC49BAE7BE9EB4535AF508218F481A7290D739AD40DB60

Function 007014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00701506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00701515
CloseHandle.KERNEL32(00000004), ref: 00701520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0070154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00701563

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1bfd1e36344714ef932e03df61b9009ed08486b3737941eef13351d597ee8360
Instruction ID: 5c4cf0d04c80bf050b1f4fbad473209d1438bcc75595b2c338f85120a3955bf1
Opcode Fuzzy Hash: 1bfd1e36344714ef932e03df61b9009ed08486b3737941eef13351d597ee8360
Instruction Fuzzy Hash: 3B112972500249EBEF128F98DD49BDE7BE9EF48749F048115FA05A60A0C3798E64DB61

Function 006C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006C3379,006C2FE5), ref: 006C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006C33B7
SetLastError.KERNEL32(00000000,?,006C3379,006C2FE5), ref: 006C3409

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 799691173656e2c62b50a188fd1828d5832a5c76e2a5462b6a23c7ba8790e982
Instruction ID: cedeb6ead6cdb93bdd004c12a2bb310a1f48866f2bbf56e5ca7f27d100dcfe4d
Opcode Fuzzy Hash: 799691173656e2c62b50a188fd1828d5832a5c76e2a5462b6a23c7ba8790e982
Instruction Fuzzy Hash: 9901243260C3B1BEA62637757C95FB63A96EB15379320C22EF410853F0EF594D02528C

Function 006D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006D5686,006E3CD6,?,00000000,?,006D5B6A,?,?,?,?,?,006CE6D1,?,00768A48), ref: 006D2D78
_free.LIBCMT ref: 006D2DAB
_free.LIBCMT ref: 006D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,006CE6D1,?,00768A48,00000010,006A4F4A,?,?,00000000,006E3CD6), ref: 006D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,006CE6D1,?,00768A48,00000010,006A4F4A,?,?,00000000,006E3CD6), ref: 006D2DEC
_abort.LIBCMT ref: 006D2DF2

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 139fb3676dbd1b92881bf7fa2473e58410af7f23e1f5ed1b002e22fb5c208c28
Instruction ID: 1086f68610c5bd92a682aae8568380d216bd3ba3e048641623151f6417a4a219
Opcode Fuzzy Hash: 139fb3676dbd1b92881bf7fa2473e58410af7f23e1f5ed1b002e22fb5c208c28
Instruction Fuzzy Hash: 22F0CD31D0470267D75327357C36E5B25576FE27A1F24441FF464D23D1EE6889015279

Function 00738A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006B9693
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96A2
Part of subcall function 006B9639: BeginPath.GDI32(?), ref: 006B96B9
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00738A4E
LineTo.GDI32(?,00000003,00000000), ref: 00738A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00738A70
LineTo.GDI32(?,00000000,00000003), ref: 00738A80
EndPath.GDI32(?), ref: 00738A90
StrokePath.GDI32(?), ref: 00738AA0

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fe290c9225c49ff4359e1db984cb138fbd965e2fc8777ea70c3699da98ab0992
Instruction ID: cb1176cde34a79fcd0a1068211ef3425a3a01acc985bbe6c91467b8d28d1f69f
Opcode Fuzzy Hash: fe290c9225c49ff4359e1db984cb138fbd965e2fc8777ea70c3699da98ab0992
Instruction Fuzzy Hash: 84111E7600014CFFEF129F94DC48E9A7F6DEB04355F00C011BA1999161D7759D55DFA4

Function 007051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00705218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00705229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00705230
ReleaseDC.USER32(00000000,00000000), ref: 00705238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0070524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00705261

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7e9e3cd9a7ebcaefff9c000fb953752ee2ed42847b4c60538daacf82c6d183ca
Instruction ID: 616c60f966884322883999c29921d8d4b13b5842f52098750b88145db076ad65
Opcode Fuzzy Hash: 7e9e3cd9a7ebcaefff9c000fb953752ee2ed42847b4c60538daacf82c6d183ca
Instruction Fuzzy Hash: 67018FB6A00708FBEB119BA59C49A5EBFB8FF48352F048165FA04E7290D6749800CFA4

Function 006A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 006A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 006A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 006A1C22

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b4cf20d3c230584b5bdb48f9b4b493fb2fb8bf97a0ad660fc21089dbb185c252
Instruction ID: 04de628feb0283686404b8a88eed28aa8b916247e850199edeb1131fcfbdc96b
Opcode Fuzzy Hash: b4cf20d3c230584b5bdb48f9b4b493fb2fb8bf97a0ad660fc21089dbb185c252
Instruction Fuzzy Hash: 560167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CBE5

Function 0070EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0070EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0070EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0070EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0070EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0070EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0070EB75

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: effa0d585b5815832055f9afcdf422981422446544216da7a1a67a6c0c1f1d18
Instruction ID: 8bf786e4fbad38eb85d5c1aaae50f4a9e83c12f821092a296635f05e7ce339bd
Opcode Fuzzy Hash: effa0d585b5815832055f9afcdf422981422446544216da7a1a67a6c0c1f1d18
Instruction Fuzzy Hash: DFF030B2140158BBF72257629C0EEEF3A7CEFCAB12F008158F601E1091D7A85A01D7B9

Function 006F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 006F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 006F7469
GetWindowDC.USER32(?), ref: 006F7475
GetPixel.GDI32(00000000,?,?), ref: 006F7484
ReleaseDC.USER32(?,00000000), ref: 006F7496
GetSysColor.USER32(00000005), ref: 006F74B0

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: fbd3ee1c6bcd245d27c4ac3aced401a7c619709c8e667ae21a301206793a46a3
Instruction ID: 70c012f3eb9feda3f0e2cf836e6b2e6fd986735cf87b622e8744347676ddf0ae
Opcode Fuzzy Hash: fbd3ee1c6bcd245d27c4ac3aced401a7c619709c8e667ae21a301206793a46a3
Instruction Fuzzy Hash: C901AD31400219EFEB125F64DC09BFE7BB6FF04312F608060FA15A61A0CB352E51EB14

Function 00701874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0070187F
UnloadUserProfile.USERENV(?,?), ref: 0070188B
CloseHandle.KERNEL32(?), ref: 00701894
CloseHandle.KERNEL32(?), ref: 0070189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007018A5
HeapFree.KERNEL32(00000000), ref: 007018AC

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 68cd532bb3385a4dd59abae5c4dc6c46e26f92878b89382704a653cc35a81e49
Instruction ID: d3c80adce5e16e9a0322bcfa890d01e0cf7eeb0a00465979aa4b5a77e75e1a66
Opcode Fuzzy Hash: 68cd532bb3385a4dd59abae5c4dc6c46e26f92878b89382704a653cc35a81e49
Instruction Fuzzy Hash: 44E0E576004105BBEB025FA1ED0C90ABF39FF49B23B10C220F225A1070CB369830EF58

Function 006ABBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006ABEB3

Strings

D%w, xrefs: 006ABCA2
D%w, xrefs: 006ABE9A
D%wD%w, xrefs: 006ABCA5
D%w, xrefs: 006ABDED, 006ABD91, 006ABD1B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%w$D%w$D%w$D%wD%w
API String ID: 1385522511-1150760593
Opcode ID: fc44e074d6858d79c34d03ccb6baf13b49c34a136595c367d8326fd03e8955f2
Instruction ID: 171eaaf57f1521ced85febd8390166c38c22deed87f8689b8383841631dd57de
Opcode Fuzzy Hash: fc44e074d6858d79c34d03ccb6baf13b49c34a136595c367d8326fd03e8955f2
Instruction Fuzzy Hash: 63914C75A00206DFCB14EF58C090AA9B7F2FF5A310B24916DD556AB352D731AD82CF90

Function 00727B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 006C0242: EnterCriticalSection.KERNEL32(0077070C,00771884,?,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C024D
Part of subcall function 006C0242: LeaveCriticalSection.KERNEL32(0077070C,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C028A

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 006C00A3: __onexit.LIBCMT ref: 006C00A9

__Init_thread_footer.LIBCMT ref: 00727BFB

Part of subcall function 006C01F8: EnterCriticalSection.KERNEL32(0077070C,?,?,006B8747,00772514), ref: 006C0202
Part of subcall function 006C01F8: LeaveCriticalSection.KERNEL32(0077070C,?,006B8747,00772514), ref: 006C0235

Strings

5, xrefs: 00727C78
Variable must be of type 'Object'., xrefs: 00727C3A
+To, xrefs: 00727E2E
G, xrefs: 00727C7F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +To$5$G$Variable must be of type 'Object'.
API String ID: 535116098-412540982
Opcode ID: 4de074705d7c73a418c522864d6f44b06b52fb7a90a520befb4333ba915f4ef1
Instruction ID: 40178c9c726e4c8ca4eb994ed0fb51c0f9fa0b2c7f3ec668a1757a06926a7026
Opcode Fuzzy Hash: 4de074705d7c73a418c522864d6f44b06b52fb7a90a520befb4333ba915f4ef1
Instruction Fuzzy Hash: 17917F70A04219EFCB18EF54E9959BDB7B6FF45300F14805DF8066B292DB39AE81CB61

Function 0070C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0070C6EE
_wcslen.LIBCMT ref: 0070C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0070C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0070C7CA

Strings

0, xrefs: 0070C6AF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 46a504512ed386b2aee44e85fe9824d88aeebee91a836dd2f369029f34e23772
Instruction ID: 7820d6a2e646ea6415991fb145ae7a66d5132c83163091dc3ff187af5ab368e8
Opcode Fuzzy Hash: 46a504512ed386b2aee44e85fe9824d88aeebee91a836dd2f369029f34e23772
Instruction Fuzzy Hash: ED51BC71604300DBD766EF28C885BAAB7E8AF89310F045B2DF995E21E0DB78DD448F56

Function 0072AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0072AEA3

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

GetProcessId.KERNEL32(00000000), ref: 0072AF38
CloseHandle.KERNEL32(00000000), ref: 0072AF67

Strings

@, xrefs: 0072AE72
<, xrefs: 0072AE6B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 920990d066ecd1130674d4b7b2fb2cb3f8ce4c99de85d79f923c82625ae94bce
Instruction ID: 60536b7bf995817a494bf74f97e4aa66fab80b24dd19fc2978218c25dd630080
Opcode Fuzzy Hash: 920990d066ecd1130674d4b7b2fb2cb3f8ce4c99de85d79f923c82625ae94bce
Instruction Fuzzy Hash: B5716771A00625EFCB14EF54D485A9EBBF1AF09310F04849DE816AB362CB78ED45CFA5

Function 0070719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00707206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0070723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0070724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007072CF

Strings

DllGetClassObject, xrefs: 00707242

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: abb4d3fb64aeade084168428896fa67e847c3f42cb42d411426c61d702c84819
Instruction ID: fba563419474f10ae057220c04f6edb552a2372aafa8174d1ea3a99032f48fe7
Opcode Fuzzy Hash: abb4d3fb64aeade084168428896fa67e847c3f42cb42d411426c61d702c84819
Instruction Fuzzy Hash: 864151B1A04204EFDB19CF54C884A9A7BF9FF44310F1581A9BD059F24AD7B9ED44DBA0

Function 00733D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00733E35
IsMenu.USER32(?), ref: 00733E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00733E92
DrawMenuBar.USER32 ref: 00733EA5

Strings

0, xrefs: 00733D89

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: a46c37dde56e12366580941447ead1743185bc9dae58b8b1d991391659f66992
Instruction ID: 190ac17efc9adb681b0561931da8bebd0315aa34d1198c366f7c6e7d34d7eb7a
Opcode Fuzzy Hash: a46c37dde56e12366580941447ead1743185bc9dae58b8b1d991391659f66992
Instruction Fuzzy Hash: C2416775A00209AFEB20DF64D884EAABBB9FF48350F048129E915A7251D738AE51CF60

Function 00701DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 00703CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00703CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00701E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00701E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00701EA9

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

Strings

ComboBox, xrefs: 00701DF0
ListBox, xrefs: 00701E25

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 9de2dc60fdec0c2df7915f9477625afbe3815629ceaeaa06817543ac222c5b82
Instruction ID: 1aab26adb26e6a0f6d1fe76bfcc6a9f9afcd8cae53e5da1aefddd0c0098dd477
Opcode Fuzzy Hash: 9de2dc60fdec0c2df7915f9477625afbe3815629ceaeaa06817543ac222c5b82
Instruction Fuzzy Hash: 3521B4B1A00104FAEB15AB64DC46CFFB7B9DF46350B544619F826A71E1DB3C4D069B30

Function 00732F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00732F8D
LoadLibraryW.KERNEL32(?), ref: 00732F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00732FA9
DestroyWindow.USER32(?), ref: 00732FB1

Strings

SysAnimate32, xrefs: 00732F68

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d127c6c868f57f3102ca3693a6252726ed327103cb409cfc3eb8bbaa6112d67f
Instruction ID: d68285b74e5203ae3847372c975ce7955e514ff714c914ad8fac11b654596c25
Opcode Fuzzy Hash: d127c6c868f57f3102ca3693a6252726ed327103cb409cfc3eb8bbaa6112d67f
Instruction Fuzzy Hash: 9B21FD7220420AEBFB114F64DC80EBB37BDEF59364F104618FA50E21A2C339DC829760

Function 006C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006C4D1E,006D28E9,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002), ref: 006C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,006C4D1E,006D28E9,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002,00000000), ref: 006C4DC3

Strings

mscoree.dll, xrefs: 006C4D86
CorExitProcess, xrefs: 006C4D98

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cdaf38c784d9dbf3f3d99b4dedd7d166ef8aaf7eefbae26c2f2cc7a5abf53dac
Instruction ID: 83a1d1d50c2a522f2ce0be0a7e5ecd7ba251543857385f302e4f9411459d12f7
Opcode Fuzzy Hash: cdaf38c784d9dbf3f3d99b4dedd7d166ef8aaf7eefbae26c2f2cc7a5abf53dac
Instruction Fuzzy Hash: 03F04475540208BBEB129F90DC49FEDBBB5EF44752F044198F906A2250DF786940DBD5

Function 006FD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 006FD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006FD3BF
FreeLibrary.KERNEL32(00000000), ref: 006FD3E5

Strings

X64, xrefs: 006FD2A8
GetSystemWow64DirectoryW, xrefs: 006FD3B9

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: d79a3c93b5489224e742256386cb07d48cf16124cba98667bf6ed2a273941607
Instruction ID: a913967dcc7a8e19b7a329be56d54fff654d5304aefd151cabd2ac70e356b050
Opcode Fuzzy Hash: d79a3c93b5489224e742256386cb07d48cf16124cba98667bf6ed2a273941607
Instruction Fuzzy Hash: B9F055B640563C9BFB3227108C089B93213AF12B02B54C098FB02F2218DB24EE80A7C7

Function 006A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006A4EAE
FreeLibrary.KERNEL32(00000000,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EC0

Strings

kernel32.dll, xrefs: 006A4E94
Wow64DisableWow64FsRedirection, xrefs: 006A4EA8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0c98da27c944d55f8b603fd7ea61367df0014a760eee4bb204b078f80b20f182
Instruction ID: 6b1e6d01cc86676f33fbe6fa705ce319ab007768e2a098b542b079bc4f2b7f83
Opcode Fuzzy Hash: 0c98da27c944d55f8b603fd7ea61367df0014a760eee4bb204b078f80b20f182
Instruction Fuzzy Hash: EFE08676A016225BA22327256C18A9B6555BFC2B63B054115FC01F2201DFA8CD0196E4

Function 006A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006A4E74
FreeLibrary.KERNEL32(00000000,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E87

Strings

kernel32.dll, xrefs: 006A4E5B
Wow64RevertWow64FsRedirection, xrefs: 006A4E6E

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5494281018859f9330373ac347df10c1954f1ae30d79204497ab929ae583ebc9
Instruction ID: 5a6d64405b41d679a75cc6029d02460d2e030c3039db735b29123e927845af2f
Opcode Fuzzy Hash: 5494281018859f9330373ac347df10c1954f1ae30d79204497ab929ae583ebc9
Instruction Fuzzy Hash: 4AD0C2765026215766232B247C08DCB6A1ABFC2B123054111B801F2211CFA8CD01DAD4

Function 00712947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00712C05
DeleteFileW.KERNEL32(?), ref: 00712C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00712C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00712CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00712CC0

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6184a5bba92fa5cbc5bf30b13e7edc4eb3eb9a73796f67109303e69945af8413
Instruction ID: cc46a9c22739739b5abb486725945e7a3c1014e337fc8b54c3161ac9e504f3ea
Opcode Fuzzy Hash: 6184a5bba92fa5cbc5bf30b13e7edc4eb3eb9a73796f67109303e69945af8413
Instruction Fuzzy Hash: 87B16271900119ABDF11EFA4CC85EEE777DEF05350F1040AAF609E6182EA349E958FA4

Function 0072A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0072A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0072A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0072A468
CloseHandle.KERNEL32(?), ref: 0072A63D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6f8bd25a00cd9ef88714e56ceb83acb5faf0b97a81b8a516c311b62fde859164
Instruction ID: a862be1d36c622c0ab4b2b6cd439ffda68f1790071efa43b77eba30b483644f5
Opcode Fuzzy Hash: 6f8bd25a00cd9ef88714e56ceb83acb5faf0b97a81b8a516c311b62fde859164
Instruction Fuzzy Hash: 6AA1B171604300AFE760EF24D886F2AB7E6AF84714F14881DF55A9B2D2D774EC41CB96

Function 006DBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00743700), ref: 006DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0077121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00771270,000000FF,?,0000003F,00000000,?), ref: 006DBC36
_free.LIBCMT ref: 006DBB7F

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DBD4B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: e56b1a01529acecfff5bd1b7d9b79127339443bd063a29736ff4fd03bd091a91
Instruction ID: b4577477c33abf5e2e906f2703304a461f3e604bf567b8219e9ce02c5a864dc0
Opcode Fuzzy Hash: e56b1a01529acecfff5bd1b7d9b79127339443bd063a29736ff4fd03bd091a91
Instruction Fuzzy Hash: 35510471D00209EBCB10EF698C819AEB7BAFF44350B12526FE454D7399EB709E409B58

Function 0070E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0070CF22,?), ref: 0070DDFD

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0070CF22,?), ref: 0070DE16

Part of subcall function 0070E199: GetFileAttributesW.KERNEL32(?,0070CF95), ref: 0070E19A

lstrcmpiW.KERNEL32(?,?), ref: 0070E473
MoveFileW.KERNEL32(?,?), ref: 0070E4AC
_wcslen.LIBCMT ref: 0070E5EB
_wcslen.LIBCMT ref: 0070E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0070E650

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 57a586fd07c38986455bd23495c910b27ec26011e5154bb1731a776ed25daf7c
Instruction ID: a02badc2cf8fd2c1a0c59073e09f059cedca489f95abe6c5498bbf2bd22d858d
Opcode Fuzzy Hash: 57a586fd07c38986455bd23495c910b27ec26011e5154bb1731a776ed25daf7c
Instruction Fuzzy Hash: 2B5185B24083849BC764EB90DC81DDB73DDAF85340F004D1EF585D3191EE79A688876A

Function 0072B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 0072C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072C9F1
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA68
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0072BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0072BB63
RegCloseKey.ADVAPI32(?,?), ref: 0072BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0072BBB3

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 2d0b65ac68325488d8db8e5b9209b7237ff4a030eb1e999cafe2a6215cd00bae
Instruction ID: a66ee4c84bbcfd65b4145fc5f23d9bcefbc37a8b972fa711fd8a289637f12273
Opcode Fuzzy Hash: 2d0b65ac68325488d8db8e5b9209b7237ff4a030eb1e999cafe2a6215cd00bae
Instruction Fuzzy Hash: 81619E71208241AFD714DF24D890E2ABBE5FF85308F14895CF49A8B2A2DB35ED45CB92

Function 00708BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00708BCD
VariantClear.OLEAUT32 ref: 00708C3E
VariantClear.OLEAUT32 ref: 00708C9D
VariantClear.OLEAUT32(?), ref: 00708D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00708D3B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 47a9677aa6cd7904e2148370d002bb540f25312e86c4c340310d7112019bb7de
Instruction ID: caa3178869c16f97606955d8415d3f7f022497c49eb6073668c2631738f30cce
Opcode Fuzzy Hash: 47a9677aa6cd7904e2148370d002bb540f25312e86c4c340310d7112019bb7de
Instruction Fuzzy Hash: 91516CB5A00219EFDB10CF68C884AAAB7F4FF8D310B158659E955DB350E734E911CF90

Function 00718AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00718BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00718BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00718C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00718C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00718C5F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3e8fe6364faf0d1b286f99d605df9a4a43cef36a633376151e0a4f5f24be16de
Instruction ID: 4abd7b07affbde788f5eba9970c2fd665fbc75d7bc9cd5158e9eec6b9643f4dc
Opcode Fuzzy Hash: 3e8fe6364faf0d1b286f99d605df9a4a43cef36a633376151e0a4f5f24be16de
Instruction Fuzzy Hash: 36515135A002149FCB45EF54C8819ADBBF6FF49314F048498E8496B362CB35ED51CFA5

Function 00728EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00728F40
GetProcAddress.KERNEL32(00000000,?), ref: 00728FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00728FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00729032
FreeLibrary.KERNEL32(00000000), ref: 00729052

Part of subcall function 006BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00711043,?,7529E610), ref: 006BF6E6
Part of subcall function 006BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,006FFA64,00000000,00000000,?,?,00711043,?,7529E610,?,006FFA64), ref: 006BF70D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 2346f86c10c3820cc2f03e87fc6ac498fd7acdd09cab3c5b80caa283de83a807
Instruction ID: c9343f59b80668b93442212dfd5bd1dff79c1a99b543d0975e53b22046a69094
Opcode Fuzzy Hash: 2346f86c10c3820cc2f03e87fc6ac498fd7acdd09cab3c5b80caa283de83a807
Instruction Fuzzy Hash: AB514734A012159FCB51EF58C4948A9BBF2FF49314F088098E90AAB362DB35ED85CF91

Function 00736B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00736C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00736C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00736C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0071AB79,00000000,00000000), ref: 00736C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00736CC7

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 188b87462965ceefe9bd137a8c072ce2f7a8cfa584f1e601965b126b6759d74a
Instruction ID: 34cc02223450b15d8e96ba58afe925e9c55271e4c6824c52ade64f9afdb6c19d
Opcode Fuzzy Hash: 188b87462965ceefe9bd137a8c072ce2f7a8cfa584f1e601965b126b6759d74a
Instruction Fuzzy Hash: 14411735600104BFFB24CF28CC58FA5BBA5EB09350F159268F899A72E2C379FD41CA60

Function 006D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006D20C3
_free.LIBCMT ref: 006D20E3

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bbf7dbc4252066e4352bdb06c5fb097d75aaf67452323d90e70bc21151d9fb0e
Instruction ID: e30bd8d2d9a8791e6b541578e562d8e605dd4f360cdc1f57f8c2e881b592bc49
Opcode Fuzzy Hash: bbf7dbc4252066e4352bdb06c5fb097d75aaf67452323d90e70bc21151d9fb0e
Instruction Fuzzy Hash: 5B41D372E00201AFCB20DF78CC90AADB3A6EF98314B1585AAE615EB351D631AD01CB80

Function 006B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006B9141
ScreenToClient.USER32(00000000,?), ref: 006B915E
GetAsyncKeyState.USER32(00000001), ref: 006B9183
GetAsyncKeyState.USER32(00000002), ref: 006B919D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 2b62a5e5edd4c108a4d21ad1fa875db906c2cc9377143e6e41f04b3230596dbc
Instruction ID: b37a1195e7d84454d3ee4bceadc74b538fe2e3f37035ce4173bc498ddc494d83
Opcode Fuzzy Hash: 2b62a5e5edd4c108a4d21ad1fa875db906c2cc9377143e6e41f04b3230596dbc
Instruction Fuzzy Hash: 6541707190850AFBDF05DF68C848BFEB776FF05320F248229E525A7290C7345995DB61

Function 00713874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00713922
TranslateMessage.USER32(?), ref: 0071394B
DispatchMessageW.USER32(?), ref: 00713955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00713966

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d373a80a83920c3a0d01f0d71a5fe43b84db7de3e2ef9ebf28ca1f7acdc852c6
Instruction ID: 3f0c63d8bdf46a541fe139efdb548559e1183dbeeb5ec88f21b4ae164416eacf
Opcode Fuzzy Hash: d373a80a83920c3a0d01f0d71a5fe43b84db7de3e2ef9ebf28ca1f7acdc852c6
Instruction Fuzzy Hash: 3331C6705043419EEB35CB3C9849FF63BA8AB05348F544569E46A920E0E3BCB6C5CB25

Function 0071CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0071C21E,00000000), ref: 0071CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0071CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0071C21E,00000000), ref: 0071CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0071C21E,00000000), ref: 0071CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0071C21E,00000000), ref: 0071CFF2

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 95f1f22245c663142f76baec31b967a55bd08ea973fd1d431586832a94442f2d
Instruction ID: e2a6ae22a1033bbaf3ac96322c0cb8abe4e407ca97c35a7e2f24e0acc46e39cb
Opcode Fuzzy Hash: 95f1f22245c663142f76baec31b967a55bd08ea973fd1d431586832a94442f2d
Instruction Fuzzy Hash: E8314F72540205AFDB21DFE9C8849EBBBFDEB14351B10842EF516E2190D738EE829B64

Function 00701901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00701915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007019E2

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 07dd149b171eab3e3dd14a7fe93011be3be12e3f1e505a52bf6d433887a1979e
Instruction ID: 1dae97ac1a76f1816144f6cc83905d18d39eb55001df4f037ad1b871b861868d
Opcode Fuzzy Hash: 07dd149b171eab3e3dd14a7fe93011be3be12e3f1e505a52bf6d433887a1979e
Instruction Fuzzy Hash: 2F31D171A10259EFDB00CFA8CD99ADE3BB5EB05315F508329F921A72D1C774AD44DB90

Function 00735706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00735745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0073579D
_wcslen.LIBCMT ref: 007357AF
_wcslen.LIBCMT ref: 007357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00735816

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 6b02974a2139a1f69b9a3f06057975b03bf83dfa57d8dd226698498037ca96d4
Instruction ID: 2569d568b952c656dd8ea0e9876d3f60de138acd24f3418fa41da0762a08166d
Opcode Fuzzy Hash: 6b02974a2139a1f69b9a3f06057975b03bf83dfa57d8dd226698498037ca96d4
Instruction Fuzzy Hash: 45219671904618DAEB20DF64CC85EED77B8FF04724F108256F919EB181D7789985CF50

Function 00720930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00720951
GetForegroundWindow.USER32 ref: 00720968
GetDC.USER32(00000000), ref: 007209A4
GetPixel.GDI32(00000000,?,00000003), ref: 007209B0
ReleaseDC.USER32(00000000,00000003), ref: 007209E8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2f3acf62926c5dc75a484f25e2c268c6e775e616ca5db68dc9db2e2dcbe1595a
Instruction ID: 1832741f6c6e4817c8238058e0b53ad19e6434e4a86a8d43056e9797b618d9c5
Opcode Fuzzy Hash: 2f3acf62926c5dc75a484f25e2c268c6e775e616ca5db68dc9db2e2dcbe1595a
Instruction Fuzzy Hash: 54216275600214EFD704EF69D849A9EB7E5EF45701F04806CE846A7762DB34AD44CB94

Function 006DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006DCDE9

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006DCE0F
_free.LIBCMT ref: 006DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006DCE31

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ce353acf0768861f0230db6d7a3c0665d1f846854fc223a6b223364437af78bb
Instruction ID: 5a65930ac331323c202c53e62deb77828f8671dd5b592b31bb769b961bb21018
Opcode Fuzzy Hash: ce353acf0768861f0230db6d7a3c0665d1f846854fc223a6b223364437af78bb
Instruction Fuzzy Hash: D401B5B2E0121B7F772116BA6C58DBBBA6EDEC6BB1315412AF905D7300DA648D01D2B4

Function 006B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006B9693
SelectObject.GDI32(?,00000000), ref: 006B96A2
BeginPath.GDI32(?), ref: 006B96B9
SelectObject.GDI32(?,00000000), ref: 006B96E2

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2de4d58a562d0284fb22415752fa900933b68e6ed0d7e38de1e3af426652b721
Instruction ID: 4382bcf5fc9e39fd00f339c7a417fbcc0c3eb0be21e7b36761f2b7859ce9df13
Opcode Fuzzy Hash: 2de4d58a562d0284fb22415752fa900933b68e6ed0d7e38de1e3af426652b721
Instruction Fuzzy Hash: BF21C5B1801349EFEB118F28DC047E97BB6BB10395F508216F614A61B0E37868C2CFA8

Function 00705711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00705726
_memcmp.LIBVCRUNTIME ref: 00705744
_memcmp.LIBVCRUNTIME ref: 00705757
_memcmp.LIBVCRUNTIME ref: 0070576F
_memcmp.LIBVCRUNTIME ref: 00705787

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d46096b21e72e0aa00e33ada5c53fcf3725ea46040bbe89096dd9e2bda915681
Instruction ID: 44e7fc5ee0da425991544ec15317b7f9886ddad094edd1cb3fa21356033eacb1
Opcode Fuzzy Hash: d46096b21e72e0aa00e33ada5c53fcf3725ea46040bbe89096dd9e2bda915681
Instruction Fuzzy Hash: 1001B9E1681605FBE71855209E52FBB739DDF22398F005128FD089E2C2FB68ED1096B5

Function 006D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,006CF2DE,006D3863,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6), ref: 006D2DFD
_free.LIBCMT ref: 006D2E32
_free.LIBCMT ref: 006D2E59
SetLastError.KERNEL32(00000000,006A1129), ref: 006D2E66
SetLastError.KERNEL32(00000000,006A1129), ref: 006D2E6F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5290329de28652b131c03e77922a8ea6a5c9ba31588558a4cccb25aedc8c38db
Instruction ID: 909f4e634583a9a8e0918f9cebbca9f3dbbb8fa0c3984a0a95ee0996063b78d9
Opcode Fuzzy Hash: 5290329de28652b131c03e77922a8ea6a5c9ba31588558a4cccb25aedc8c38db
Instruction Fuzzy Hash: 3F014932E046026BC61323356CA6D6B275BABF23B2720842FF421A3392EE78CC010165

Function 0070000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?,?,0070035E), ref: 0070002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?), ref: 00700064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700070

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e586688b982cc5b4c03d397a77e37688e58d16fe8e598b88f13ad167e6adb84f
Instruction ID: b03e19bfc15da9bf7fb53ed1696616d69ed52d751011f21a1154d94c80cf6603
Opcode Fuzzy Hash: e586688b982cc5b4c03d397a77e37688e58d16fe8e598b88f13ad167e6adb84f
Instruction Fuzzy Hash: F5016276600214FFEB118F69DC48BAA7AEDEF44762F148224F905E6250DB79DE409BA0

Function 0070E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0070E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0070E9A5
Sleep.KERNEL32(00000000), ref: 0070E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0070E9B7
Sleep.KERNEL32 ref: 0070E9F3

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 1c866707b28e5d78e19bab7748b92478cbbbaa50876aef08a02bb79d9f5d2bbb
Instruction ID: 22d8a1b6e0f8b59b947d74176f5d5dfe5c23966812c1b01403f5ffd1f94a1992
Opcode Fuzzy Hash: 1c866707b28e5d78e19bab7748b92478cbbbaa50876aef08a02bb79d9f5d2bbb
Instruction Fuzzy Hash: 65019271C1162DDBDF009FE5DC596DDBBB8FF08302F004A46E502B2191DB38A550D7A6

Function 007010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00701114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 0070112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0070114D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: adbc4afb0a3c26a321676fea66d31fd298bfc62be6ad708ac589f3c430181e3b
Instruction ID: eecebe33a0fa503603399d8bc556fa353fecf2d183cc62bb50cefd3f8708e0a8
Opcode Fuzzy Hash: adbc4afb0a3c26a321676fea66d31fd298bfc62be6ad708ac589f3c430181e3b
Instruction Fuzzy Hash: 95018175100209FFEB164F68DC49E6A3FAEEF85361B104414FA41D3350DB35DC009B60

Function 00700FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00700FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00700FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00700FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00700FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00701002

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 108156d75025e8ae24428cb0246d8b13cbf64cfdd290de519dbbd0e629bae011
Instruction ID: 644e6f7c5f62c1686e942a629eaf652fe2ac3b36f548b5d79626ff5dbe5b2ea7
Opcode Fuzzy Hash: 108156d75025e8ae24428cb0246d8b13cbf64cfdd290de519dbbd0e629bae011
Instruction Fuzzy Hash: 0BF06D75200305EBEB224FA4DC4EF563BADEF89762F508414FA85E7291CA79DC508B60

Function 00701014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0070102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00701036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0070104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701062

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f8c35013a3765e34fab2ae37f9f03e92aa527f935161fc96d58571e05e4c004a
Instruction ID: 7128f9a7466fda5ca06938ae6da154ac53c9828eb8b5caba5b88b7df041ce3fe
Opcode Fuzzy Hash: f8c35013a3765e34fab2ae37f9f03e92aa527f935161fc96d58571e05e4c004a
Instruction Fuzzy Hash: F0F06D75300305EBEB225FA4EC49F563BADEF89762F504414FA85E7290CA79DC508B60

Function 0071030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710324
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710331
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 0071033E
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 0071034B
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710358
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710365

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8736158a8a4f3617b53a2584d12bc8eb98337e29f324d569473944926ce1c5e0
Instruction ID: 310a2a9894c9798cb31910b1b0255038d3e55aa540bfb0810e3a76cdbf634e86
Opcode Fuzzy Hash: 8736158a8a4f3617b53a2584d12bc8eb98337e29f324d569473944926ce1c5e0
Instruction Fuzzy Hash: D901AE72800B159FCB30AF6AD880852FBF9BF603153158A3FD1A652971C3B5A999DF80

Function 006DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006DD752

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DD764
_free.LIBCMT ref: 006DD776
_free.LIBCMT ref: 006DD788
_free.LIBCMT ref: 006DD79A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ff96af869f18e3dd4f82b9c70df998a4d1b80513e304a724c65e58de7f4bef65
Instruction ID: a5ea2a6cd58a442d9232db41eb0056801a655f89681be5cb1cf2cefe745acfbb
Opcode Fuzzy Hash: ff96af869f18e3dd4f82b9c70df998a4d1b80513e304a724c65e58de7f4bef65
Instruction Fuzzy Hash: 92F06232D40305AB8662FB65F9D1C6A77DFBB54710B99484BF099DB701C734FC808A68

Function 00705C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00705C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00705C6F
MessageBeep.USER32(00000000), ref: 00705C87
KillTimer.USER32(?,0000040A), ref: 00705CA3
EndDialog.USER32(?,00000001), ref: 00705CBD

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8a5cfe934ffd0fc62b1da91a24875d034e83a41d8f0b6112e2943405d0614041
Instruction ID: 91a2ea991110daf433254e3486f691e281b118fdb1c78f4e4a6537194e481190
Opcode Fuzzy Hash: 8a5cfe934ffd0fc62b1da91a24875d034e83a41d8f0b6112e2943405d0614041
Instruction Fuzzy Hash: C1016231500B05EBFB215B10DD4FFA77BB8BB00B06F045659A583B10E1DBF8A9848FA4

Function 006D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006D22BE

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006D22D0
_free.LIBCMT ref: 006D22E3
_free.LIBCMT ref: 006D22F4
_free.LIBCMT ref: 006D2305

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c607da22cf200d97bb8f36867f762785852637c2b25c1a5020c333fec41120ea
Instruction ID: 5f0ce4150ffd0f53572a3cf7d4dbd5c1e938c9bc49884daa4707c3bf4c7a02f0
Opcode Fuzzy Hash: c607da22cf200d97bb8f36867f762785852637c2b25c1a5020c333fec41120ea
Instruction Fuzzy Hash: E3F05470D002128B8663BF69BC218583B66F728B90740850BF419D7372CB7C0591BFEC

Function 006B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006B95D4
StrokeAndFillPath.GDI32(?,?,006F71F7,00000000,?,?,?), ref: 006B95F0
SelectObject.GDI32(?,00000000), ref: 006B9603
DeleteObject.GDI32 ref: 006B9616
StrokePath.GDI32(?), ref: 006B9631

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e08f4d1529d81e02d7a66c827c06db80825e4e41a30f9383474ef1f6ed975e4b
Instruction ID: ce51949de5f6c586960b33109bc773b02f918099bd1aef26c0db31c67c917c94
Opcode Fuzzy Hash: e08f4d1529d81e02d7a66c827c06db80825e4e41a30f9383474ef1f6ed975e4b
Instruction Fuzzy Hash: 7FF03171005288DBE7265F59ED1C7A43F61A700366F44C214F659651F0D73895D2DF28

Function 006D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006D10F9
__freea.LIBCMT ref: 006D1117

Part of subcall function 006D1537: _free.LIBCMT ref: 006D154F

Strings

a/p, xrefs: 006D11DE
am/pm, xrefs: 006D117A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 803f110ad71ee28dd634f0b8203996b59bcb45075b2517c51da3c345c8489a36
Instruction ID: c8d8688af5626ee66aff780e38152c2b78fe662c22a4f9a8314d52846b9df4c3
Opcode Fuzzy Hash: 803f110ad71ee28dd634f0b8203996b59bcb45075b2517c51da3c345c8489a36
Instruction Fuzzy Hash: F3D1CD71D00206EADB289F68C855BFAB7B3EF07300F29415BE901AF751D6B59E81CB91

Function 007261D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 006C0242: EnterCriticalSection.KERNEL32(0077070C,00771884,?,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C024D
Part of subcall function 006C0242: LeaveCriticalSection.KERNEL32(0077070C,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C028A

Part of subcall function 006C00A3: __onexit.LIBCMT ref: 006C00A9

__Init_thread_footer.LIBCMT ref: 00726238

Part of subcall function 006C01F8: EnterCriticalSection.KERNEL32(0077070C,?,?,006B8747,00772514), ref: 006C0202
Part of subcall function 006C01F8: LeaveCriticalSection.KERNEL32(0077070C,?,006B8747,00772514), ref: 006C0235

Part of subcall function 0071359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007135E4
Part of subcall function 0071359C: LoadStringW.USER32(00772390,?,00000FFF,?), ref: 0071360A

Strings

x#w, xrefs: 0072636F
x#w, xrefs: 0072633A
x#w, xrefs: 00726353

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#w$x#w$x#w
API String ID: 1072379062-1925529421
Opcode ID: 187a40df66dd9271c4b634df4cfe3130110d1f0120484e5d5191045ba8b5c925
Instruction ID: 8a339fa1d614bac7939eaeb06e289606699f9bd2775fbcc4252cd9639bcb12f8
Opcode Fuzzy Hash: 187a40df66dd9271c4b634df4cfe3130110d1f0120484e5d5191045ba8b5c925
Instruction Fuzzy Hash: 2BC19E71A00115AFCB14EF58D890EBEB7BAFF49310F10806AF9559B291DB74EE51CB90

Function 006D5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOj, xrefs: 006D5BA8, 006D5C6C

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID: JOj
API String ID: 0-1489635976
Opcode ID: a906b44e9d5f2accd48c3a5788b20eab87234cbf0ff31ef1b00e9afe9125f880
Instruction ID: 89144d97bd16eed238273992dc78ebfb324f74592f393f54af0da76b7f3bfd63
Opcode Fuzzy Hash: a906b44e9d5f2accd48c3a5788b20eab87234cbf0ff31ef1b00e9afe9125f880
Instruction Fuzzy Hash: B851CC71D1060AABDB21AFA8C845FFEBBBAEF05310F14005FF406A7791D6758A02DB65

Function 006D8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 006D8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 006D8B7A
__dosmaperr.LIBCMT ref: 006D8B81

Strings

.l, xrefs: 006D8A63

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .l
API String ID: 2434981716-3986846653
Opcode ID: 7c7e5fb048af6a11ad2491eab51904019cc891034b097bbacc532f142412fc42
Instruction ID: 7a74dd540b929326fcec394e0aa84d58c31daa39685244a762b0ac2bdb799845
Opcode Fuzzy Hash: 7c7e5fb048af6a11ad2491eab51904019cc891034b097bbacc532f142412fc42
Instruction Fuzzy Hash: 28415CB0E04185AFD7259F68C898ABD7FA7DB85304B2C819BF88587342DE358C029794

Function 00702716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0070B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007021D0,?,?,00000034,00000800,?,00000034), ref: 0070B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00702760

Part of subcall function 0070B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0070B3F8

Part of subcall function 0070B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0070B355
Part of subcall function 0070B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00702194,00000034,?,?,00001004,00000000,00000000), ref: 0070B365
Part of subcall function 0070B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00702194,00000034,?,?,00001004,00000000,00000000), ref: 0070B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0070281A

Strings

@, xrefs: 00702832

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d341b315f3a70ddf64c3c30a66a4d88be15c14bfd0aacc435ce4a7939217116e
Instruction ID: 56e8c8a0aa023c20685a75325e92aef8b96279437651cd5518cad5095e7b518e
Opcode Fuzzy Hash: d341b315f3a70ddf64c3c30a66a4d88be15c14bfd0aacc435ce4a7939217116e
Instruction Fuzzy Hash: 67412976900218EFDB10DFA4C946AEEBBB8EB09300F108199FA55B7181DA746F45CBA0

Function 006D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 006D1769
_free.LIBCMT ref: 006D1834
_free.LIBCMT ref: 006D183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 006D1760, 006D1767, 006D1796, 006D17CE

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: b9c5c4302d198ca1afb89806505c7799ee6253190c24b31b951795b6783fd032
Instruction ID: c3d232846637b2cf7c9fc2f92524bac1fa9342784e0e7dfc06d317facb0cd397
Opcode Fuzzy Hash: b9c5c4302d198ca1afb89806505c7799ee6253190c24b31b951795b6783fd032
Instruction Fuzzy Hash: A8318071E00218BBDB21DB99D885DDEBBFEEB86350B54416BF404DB321D6B08E41DB94

Function 0070C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0070C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0070C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00771990,00CA5658), ref: 0070C395

Strings

0, xrefs: 0070C2DF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: ef222650756722c2f147eb816ef4baa3b6401e9da11f9df8ac5d8c2115448ca3
Instruction ID: e163f0531d40c3ba53535d2f79db46afa1582ff19c672ee26cc1a05a133a3d68
Opcode Fuzzy Hash: ef222650756722c2f147eb816ef4baa3b6401e9da11f9df8ac5d8c2115448ca3
Instruction Fuzzy Hash: 6A418E31204301DFD721DF25D885B5AFBE4AF85320F148B1DF9A5972D2D778A904CB66

Function 00734416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0073CC08,00000000,?,?,?,?), ref: 007344AA
GetWindowLongW.USER32 ref: 007344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007344D7

Strings

SysTreeView32, xrefs: 0073447C

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 741861332c2f4d04d64ea7bce2f99265fbb76d24030d475a36f79ba2002fad08
Instruction ID: cfc34403f3f6d595c396dcaec67ca3c5c1230e5cb5e3cc5af9bffa61ffc270b7
Opcode Fuzzy Hash: 741861332c2f4d04d64ea7bce2f99265fbb76d24030d475a36f79ba2002fad08
Instruction Fuzzy Hash: 6831B072200245AFEF259E38DC45BDA77A9EB09334F204329F975A21D2D778EC509B50

Function 00706E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00706EED
VariantCopyInd.OLEAUT32(?,?), ref: 00706F08
VariantClear.OLEAUT32(?), ref: 00706F12

Strings

*jp, xrefs: 00706E8B, 00706E90, 00706EF8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jp
API String ID: 2173805711-93120565
Opcode ID: dc0dd8ba88cf6aff0418fa0e65a592e7c8a3f2a075c5c9efa24fae34eb454ac5
Instruction ID: 5b3c1f2cdea079008f96e768deb8176dc23a8ffb2538e88ff3a70f5686cc1dbf
Opcode Fuzzy Hash: dc0dd8ba88cf6aff0418fa0e65a592e7c8a3f2a075c5c9efa24fae34eb454ac5
Instruction Fuzzy Hash: 51317371604246DFCB05BFA4E8619BD77B6FF45B00B1045ADF9025B2E2CB38AD21DB94

Function 0072304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0072335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00723077,?,?), ref: 00723378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0072307A
_wcslen.LIBCMT ref: 0072309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00723106

Strings

255.255.255.255, xrefs: 00723095, 0072309A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: a050ac09e25e6383d33d2fc820a313d1ae1d653728b7dc671bf09e770f50bc08
Instruction ID: db5b3eae0c393ecf382a92312da3f431f7597c4c1563a68dae500d051b3dbb12
Opcode Fuzzy Hash: a050ac09e25e6383d33d2fc820a313d1ae1d653728b7dc671bf09e770f50bc08
Instruction Fuzzy Hash: 4331B0352002259FDB20CF68D486EAA77E1EF15318F248459E9158B392DB7EEF41CB70

Function 00733EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00733F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00733F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00733F78

Strings

SysMonthCal32, xrefs: 00733F0B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 0c4135909ac080327d17f6a6f873af15261c2947ee8fe19b092125568292ed1e
Instruction ID: 5975a934660825aaefca5641109c04b8113016582c5c52475d03a1c981c5c1e1
Opcode Fuzzy Hash: 0c4135909ac080327d17f6a6f873af15261c2947ee8fe19b092125568292ed1e
Instruction Fuzzy Hash: 40219F32600219BBEF259F54DC46FEA3B75EB48724F110214FA157B1D1D6B9AD90CB90

Function 00734653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00734705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00734713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0073471A

Strings

msctls_updown32, xrefs: 00734684

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2caa4e7974324a902149034c69d4e480101339417a285691e3ad28790aa2384a
Instruction ID: d544ebcaaf014f5b08f46947b5a8584efad117a67e55ba6fc5fde4c597980978
Opcode Fuzzy Hash: 2caa4e7974324a902149034c69d4e480101339417a285691e3ad28790aa2384a
Instruction Fuzzy Hash: ED218EB5600208AFEB15DF68DC81DA737ADEB4A3A4B040049FA049B292CB34FC51CB64

Function 007095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0070961D

Strings

#OnAutoItStartRegister, xrefs: 007095F3
#notrayicon, xrefs: 007095B7
#requireadmin, xrefs: 007095D9

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 4b5a95681dc3ed5f5d08e71a85fbcc28403e99c6f70f81addcdcc9afd6bf97fa
Instruction ID: 18bd9e387c2948362e2ffc1ff854b1acdd99b7a952284e26b84a9093e1e39678
Opcode Fuzzy Hash: 4b5a95681dc3ed5f5d08e71a85fbcc28403e99c6f70f81addcdcc9afd6bf97fa
Instruction Fuzzy Hash: B821F6B2104511FAD331BB259C02FB7B3D9DF55310F14412EFA49971C3EB5A9D51C2A9

Function 007337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00733840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00733850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00733876

Strings

Listbox, xrefs: 0073380F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d8e5db9608363c864385bfc6c418f5f9c8c7d3f966c9c7db7f65b698b5b52f74
Instruction ID: 42b450c8752c7774a7e41c1436ec190cd53fbeb4fe135ff70589103d21c45eff
Opcode Fuzzy Hash: d8e5db9608363c864385bfc6c418f5f9c8c7d3f966c9c7db7f65b698b5b52f74
Instruction Fuzzy Hash: E021BE72610218BBFB218F54CC85EEB376AEF89760F108124F9049B191C679DC528BA0

Function 007149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00714A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00714A5C
SetErrorMode.KERNEL32(00000000,?,?,0073CC08), ref: 00714AD0

Strings

%lu, xrefs: 00714A6F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c5a213d6848a4408f52b376e824fd5b39979ab693d448f3b6b2ab58b5cfbfd29
Instruction ID: cb170029d758d65edacdda948b7ae62ed7a3399b4f28d2a3d1d85fef7df0470b
Opcode Fuzzy Hash: c5a213d6848a4408f52b376e824fd5b39979ab693d448f3b6b2ab58b5cfbfd29
Instruction Fuzzy Hash: ED319375A00108AFD710DF54C885EAA7BF9EF05304F148098F905DB352D775ED45CB61

Function 007341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0073424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00734264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00734271

Strings

msctls_trackbar32, xrefs: 00734226

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 57405de43975b38806ee998c30c825e9e2143d80186ce07b087349f949837cfd
Instruction ID: aaf957582c7a7f2fe527584eec4b2bd8fae69d44281804eab91ad1e0dad84cf3
Opcode Fuzzy Hash: 57405de43975b38806ee998c30c825e9e2143d80186ce07b087349f949837cfd
Instruction Fuzzy Hash: A611E031240208BEFF209E29CC06FAB3BACEF85B64F010128FA55E20A1D275EC519B24

Function 00702F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

Part of subcall function 00702DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00702DC5
Part of subcall function 00702DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00702DD6
Part of subcall function 00702DA7: GetCurrentThreadId.KERNEL32 ref: 00702DDD
Part of subcall function 00702DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00702DE4

GetFocus.USER32 ref: 00702F78

Part of subcall function 00702DEE: GetParent.USER32(00000000), ref: 00702DF9

GetClassNameW.USER32(?,?,00000100), ref: 00702FC3
EnumChildWindows.USER32(?,0070303B), ref: 00702FEB

Strings

%s%d, xrefs: 00702FFF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: f2d8825d476a3368c2a4428391fefb9a236c50065d71ce948578d0d3a7cf71d0
Instruction ID: f0e49381a26ccbec12e025c07b2a0eeb443600d25fab1587c7d2e22dcd5b6bf3
Opcode Fuzzy Hash: f2d8825d476a3368c2a4428391fefb9a236c50065d71ce948578d0d3a7cf71d0
Instruction Fuzzy Hash: 1211A571700205EBDF557F60CD8AEED77AAAF84304F048179B909AB292DE389D458B70

Function 00735882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007358EE
DrawMenuBar.USER32(?), ref: 007358FD

Strings

0, xrefs: 0073588F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 5b846177e08ae511e04e718566e64eaf3bfb492060365a65e8c55fb7d58c27ae
Instruction ID: b180e06f6cbc8bb2d56fdce2555b2d932c1ce83df396fe9c093ebe25a8f30871
Opcode Fuzzy Hash: 5b846177e08ae511e04e718566e64eaf3bfb492060365a65e8c55fb7d58c27ae
Instruction Fuzzy Hash: D601C072500218EFEB619F11DC44BEEBBB5FF45361F108099E848D6162DB349A90DF31

Function 0070007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154214863d6c95753a4e4eeae66ad26555f733ff76084db7707b4e39bc29e638
Instruction ID: cb24bacaf032ce2f4eec77006387ddcb3c7c513050a415d168a9e233a9d40d34
Opcode Fuzzy Hash: 154214863d6c95753a4e4eeae66ad26555f733ff76084db7707b4e39bc29e638
Instruction Fuzzy Hash: 01C14A75A0020AEFDB15CF94C894BAEB7B5FF48324F108698E505EB291D735DE41DB90

Function 0072342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00723459
CoUninitialize.OLE32 ref: 00723463
VariantInit.OLEAUT32(?), ref: 0072346E
VariantClear.OLEAUT32(?), ref: 0072371B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 6d449ffe04cd3948b27658575c754c2c0268e71ccf4df47b48e1fe7c32849a0d
Instruction ID: 998ca5ac682de1fcaa4ad5896f682f1a46ec29df3e7659360874404d48ce2718
Opcode Fuzzy Hash: 6d449ffe04cd3948b27658575c754c2c0268e71ccf4df47b48e1fe7c32849a0d
Instruction Fuzzy Hash: CBA14B756042109FC700EF28D885A2AB7E5FF89714F04885DF98A9B362DB38EE41CF95

Function 00700436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0073FC08,?), ref: 007005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0073FC08,?), ref: 00700608
CLSIDFromProgID.OLE32(?,?,00000000,0073CC40,000000FF,?,00000000,00000800,00000000,?,0073FC08,?), ref: 0070062D
_memcmp.LIBVCRUNTIME ref: 0070064E

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4d1464635aeecad16aad7b3d3dcc6b95a920776876e3c8f2ad49f66182b9c1e0
Instruction ID: c1b7f75451e72aa6405368a140206537be626715736f07a76c6b3ac841f88fb2
Opcode Fuzzy Hash: 4d1464635aeecad16aad7b3d3dcc6b95a920776876e3c8f2ad49f66182b9c1e0
Instruction Fuzzy Hash: 2581FC75A00109EFCB04DF94C984EEEB7F9FF89315F204558E506AB291DB75AE06CBA0

Function 0072A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0072A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0072A6BA

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0072A79C
CloseHandle.KERNEL32(00000000), ref: 0072A7AB

Part of subcall function 006BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,006E3303,?), ref: 006BCE8A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: c15d741b4710a2a0f35c3005ee9b27c63c7d4f14b189f87d9340a7729925d156
Instruction ID: 89e1cef35de5ee43a98196cbcd2d826a504d29f405810b70188a0b05af8b738d
Opcode Fuzzy Hash: c15d741b4710a2a0f35c3005ee9b27c63c7d4f14b189f87d9340a7729925d156
Instruction Fuzzy Hash: 1B5169B1508310AFD350EF24D886A6BBBE9FF89754F00892DF58997251EB34D904CBA6

Function 006E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006E14C0

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6eb4b95696de5a52055c43680dcae0290a014f703045bcd7cf7cef77925e24e0
Instruction ID: 899d48b519e8e75515011c4a36ecfd4b3eed6ebf16c735a13822f1465409d676
Opcode Fuzzy Hash: 6eb4b95696de5a52055c43680dcae0290a014f703045bcd7cf7cef77925e24e0
Instruction Fuzzy Hash: 2A41F971A01751DBDB216BFA8C45ABE3AE7EF43330F14422EF415DA3D2E6344941B265

Function 00736278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007362E2
ScreenToClient.USER32(?,?), ref: 00736315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00736382

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5670d1c66874b80eb5c5adaa2eeaf1e2ddc31db315e39fdaf56c6766f994e444
Instruction ID: a101ca1d91636d884a4cd857d2b7ee0498b78238d46cbfad2bb8c3c59bf0dd46
Opcode Fuzzy Hash: 5670d1c66874b80eb5c5adaa2eeaf1e2ddc31db315e39fdaf56c6766f994e444
Instruction Fuzzy Hash: CA512875A00249EFEF10DF68D880AAE7BB6FB45360F108169F9159B2A1D734ED81CB50

Function 00721AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00721AFD
WSAGetLastError.WSOCK32 ref: 00721B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00721B8A
WSAGetLastError.WSOCK32 ref: 00721B94

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: cd094938407b95fa65e28e6d47345692c58e2ed0aed746cd154ad9788911593d
Instruction ID: 22d4808ad67bff98c2dfc6a761b9f8c869a3e585618e4f92c1bc7d3e3c104822
Opcode Fuzzy Hash: cd094938407b95fa65e28e6d47345692c58e2ed0aed746cd154ad9788911593d
Instruction Fuzzy Hash: 5841CE74600200AFE720AF20D886F6A77E6AB45718F54848CFA1A9F2D2D776ED418B94

Function 006DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd75ea92fc90a24c15076fffd69a6871c6d42f8891635da1c0c5a2b6ece2596
Instruction ID: e657bfb4d8355866fda84097156fb4e2267f30b820b05b1564a4776081ec3f06
Opcode Fuzzy Hash: 7dd75ea92fc90a24c15076fffd69a6871c6d42f8891635da1c0c5a2b6ece2596
Instruction Fuzzy Hash: 8E41BE71E00344AFD7249F68C841BAABBEAEB88720F11452FF151DB386D771A9018794

Function 007156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00715783
GetLastError.KERNEL32(?,00000000), ref: 007157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007157FA

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 0b583b4e2448a671c0498ecf66d1874711a7792fd6309cbe42667521b48ca950
Instruction ID: 7b69130f704ea68f15aa0611b074ea60db8d8a24db4de6e1144ae4d855b624f7
Opcode Fuzzy Hash: 0b583b4e2448a671c0498ecf66d1874711a7792fd6309cbe42667521b48ca950
Instruction Fuzzy Hash: 6941FD35600610DFCB15EF15C545A5EBBE2EF89720B19C488E84A6B3A2CB34FD41CF95

Function 006DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,006C6D71,00000000,00000000,006C82D9,?,006C82D9,?,00000001,006C6D71,?,00000001,006C82D9,006C82D9), ref: 006DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006DD9AB
__freea.LIBCMT ref: 006DD9B4

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ab1d31b41686b35c9d6d5eb61a7766b6e2bda38b38b2abc185e87d06278077ed
Instruction ID: 89a73124e8606ef12820abe0ea1de6d31874f63297d84aac9e6bf0b1feae20b3
Opcode Fuzzy Hash: ab1d31b41686b35c9d6d5eb61a7766b6e2bda38b38b2abc185e87d06278077ed
Instruction Fuzzy Hash: E531A072E0021AABDB259F65DC91EEE7BA6EB40310B054169FC04DA390EB36DD51DB90

Function 007352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00735352
GetWindowLongW.USER32(?,000000F0), ref: 00735375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00735382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007353A8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 789f074b3344867d4b0d68c6235a13947e5878a982361f2de89e2888610c5fbb
Instruction ID: 1e7222878f50704243715a23565a02fc2a5a8f67577f662ddea1028c55e660db
Opcode Fuzzy Hash: 789f074b3344867d4b0d68c6235a13947e5878a982361f2de89e2888610c5fbb
Instruction Fuzzy Hash: 2431C534A95A0CEFFB309F14CC06BE83765EB05398F584101FA10961E2C7BC9D80DB46

Function 0070AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0070ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0070AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0070AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0070ACC6

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5667233f3f4c5af3865350a5407e3e94a9a8fad36dad37329443ae2ae26513b6
Instruction ID: ea1ed921546819bce06bc48b11cc64dc9aa43812754b01e73d6def0601fe5827
Opcode Fuzzy Hash: 5667233f3f4c5af3865350a5407e3e94a9a8fad36dad37329443ae2ae26513b6
Instruction Fuzzy Hash: C931E130A04758FFFB25CB658C09BFF7BE6AB89310F05831AE485961D1D37D898587A2

Function 00737674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0073769A
GetWindowRect.USER32(?,?), ref: 00737710
PtInRect.USER32(?,?,00738B89), ref: 00737720
MessageBeep.USER32(00000000), ref: 0073778C

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c5eb0cb15a0af7e03ab1a43f8f01ebc81c43190229ac6a02f4e44a9ffe4b6bec
Instruction ID: f7864ce93ab967b1cb4511743ddf6d6805f7c2815db6f2eb5bab507551c63fad
Opcode Fuzzy Hash: c5eb0cb15a0af7e03ab1a43f8f01ebc81c43190229ac6a02f4e44a9ffe4b6bec
Instruction Fuzzy Hash: 2341C0B4605254EFEB25CF58C895FA977F4FF49350F5980A8E5149B262C338E942CF90

Function 007316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007316EB

Part of subcall function 00703A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00703A57
Part of subcall function 00703A3D: GetCurrentThreadId.KERNEL32 ref: 00703A5E
Part of subcall function 00703A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007025B3), ref: 00703A65

GetCaretPos.USER32(?), ref: 007316FF
ClientToScreen.USER32(00000000,?), ref: 0073174C
GetForegroundWindow.USER32 ref: 00731752

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 11dc281ec4ed2079ecacb0fd452a37826348507df523d5d72249f85e4ef24476
Instruction ID: fec6c9fda4c5ca408ef7dd098c4d7876a296b129e8e12f43b028974c390da8a0
Opcode Fuzzy Hash: 11dc281ec4ed2079ecacb0fd452a37826348507df523d5d72249f85e4ef24476
Instruction Fuzzy Hash: ED314171D00149AFD700EFA9C885CAEBBFDEF89304B5480A9E415E7252DB359E45CFA4

Function 00738FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

GetCursorPos.USER32(?), ref: 00739001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006F7711,?,?,?,?,?), ref: 00739016
GetCursorPos.USER32(?), ref: 0073905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006F7711,?,?,?), ref: 00739094

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 631f0dc0f15f2ffe59b9f34a62fb7cd89c05e3b64d5b799003e7aaec4d01280f
Instruction ID: 78a230e9abb3d059965ba90498fe5a279fa2333dca14c2e7422b13f19352e374
Opcode Fuzzy Hash: 631f0dc0f15f2ffe59b9f34a62fb7cd89c05e3b64d5b799003e7aaec4d01280f
Instruction Fuzzy Hash: 6B21E535600118EFEB2A8F94CC58EFA7BB9EF49350F148055F60557262C379AD90DF60

Function 0070D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0073CB68), ref: 0070D2FB
GetLastError.KERNEL32 ref: 0070D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0070D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0073CB68), ref: 0070D376

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a0bb29b07cbf73d0e1f1ba8570d262634029aee74b3c565ee54b6b27cbdc7e42
Instruction ID: 56eb907476ba225c1e1843c4611bf8d9b14e7ec5c71e496e1f430daf27627b88
Opcode Fuzzy Hash: a0bb29b07cbf73d0e1f1ba8570d262634029aee74b3c565ee54b6b27cbdc7e42
Instruction Fuzzy Hash: 72215970508301DFC720EF68C88186AB7E4AA56364F104A1DF499932E1EB399D46CB97

Function 00701571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00701014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0070102A
Part of subcall function 00701014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00701036
Part of subcall function 00701014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701045
Part of subcall function 00701014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0070104C
Part of subcall function 00701014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007015BE
_memcmp.LIBVCRUNTIME ref: 007015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00701617
HeapFree.KERNEL32(00000000), ref: 0070161E

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: da74fdaa69be942dda9dd51bee92a405397adce805ec550d0fc824abfea4819e
Instruction ID: 5d5303642d2a52d68172994d89729c57e2f563e34c4970c63387177d934c1107
Opcode Fuzzy Hash: da74fdaa69be942dda9dd51bee92a405397adce805ec550d0fc824abfea4819e
Instruction Fuzzy Hash: B1219A71E00108EFDB00DFA4CD45BEEB7F8EF40345F498559E441AB281EB39AA44DBA0

Function 00732782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0073280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00732824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00732832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00732840

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 5de3c5e7e978dab1c17aff63b504e0d5ada847bee5b1fe279d944dc7d2b43763
Instruction ID: ba5e5ae3b2656262d3860de7ba73c19fa8f310f2e3a1178de20337305286c00e
Opcode Fuzzy Hash: 5de3c5e7e978dab1c17aff63b504e0d5ada847bee5b1fe279d944dc7d2b43763
Instruction Fuzzy Hash: AB21C131204121AFF7159B24C855FAA7B96AF85324F248158F4268B6E3CB79FC42CB90

Function 007078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00708D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0070790A,?,000000FF,?,00708754,00000000,?,0000001C,?,?), ref: 00708D8C
Part of subcall function 00708D7D: lstrcpyW.KERNEL32(00000000,?,?,0070790A,?,000000FF,?,00708754,00000000,?,0000001C,?,?,00000000), ref: 00708DB2
Part of subcall function 00708D7D: lstrcmpiW.KERNEL32(00000000,?,0070790A,?,000000FF,?,00708754,00000000,?,0000001C,?,?), ref: 00708DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00708754,00000000,?,0000001C,?,?,00000000), ref: 00707923
lstrcpyW.KERNEL32(00000000,?,?,00708754,00000000,?,0000001C,?,?,00000000), ref: 00707949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00708754,00000000,?,0000001C,?,?,00000000), ref: 00707984

Strings

cdecl, xrefs: 0070797B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 75897e9bb52aefe84ea804dcb990f4a258f4d6459cc8124d4d23de6d4a06b60a
Instruction ID: 47fd2a87b9569087bb9e9c2e2e788ca8307d7e5a93c8a292569384b0e11c4ccc
Opcode Fuzzy Hash: 75897e9bb52aefe84ea804dcb990f4a258f4d6459cc8124d4d23de6d4a06b60a
Instruction Fuzzy Hash: FE11067A200201FBDB159F34CC45D7A77E9FF45350B40812AF842C72A4EB35E811D7A5

Function 00737CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00737D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00737D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00737D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0071B7AD,00000000), ref: 00737D6B

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 7cc023824486128d6c12bb93e90bdfd6a7d1dcf75ef60e5516a237ec2fa6edf2
Instruction ID: 87051d039ebf3d2fdfac3422fc0b528ee9dfa073e6257b79aa616a74d7024753
Opcode Fuzzy Hash: 7cc023824486128d6c12bb93e90bdfd6a7d1dcf75ef60e5516a237ec2fa6edf2
Instruction Fuzzy Hash: 7D11E471214654AFEB248F28CC04EA63BA5AF453A1F218724F939DB2F1E7389D51DB50

Function 00735660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007356BB
_wcslen.LIBCMT ref: 007356CD
_wcslen.LIBCMT ref: 007356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00735816

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: bebd82aaa0bf223948b3a62562141dc5dfa0012a8ca5850f4c81a16f2561ce4f
Instruction ID: 9c704c9eed9cba8f5d431a18e6198f7185fd956a3670c77bc493d6df45b8825d
Opcode Fuzzy Hash: bebd82aaa0bf223948b3a62562141dc5dfa0012a8ca5850f4c81a16f2561ce4f
Instruction Fuzzy Hash: C211B171600618D6EB20DF658C86EEE77ACEF11760F50806AF915D6082EB789A80CB64

Function 006D1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16001afe4171ed422744ebe4e8668f4b725bb723b9a6eee040d0959d7549f8d6
Instruction ID: 338f5b4633427b8599ed232fb452c6c1b5f6873fb9cacf0cd8596cb23a58d8b7
Opcode Fuzzy Hash: 16001afe4171ed422744ebe4e8668f4b725bb723b9a6eee040d0959d7549f8d6
Instruction Fuzzy Hash: 1301A2B2E0961A7EF66126787CC0F67661FDF427B8B34032BF521693D2DBA08C409174

Function 00701A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00701A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00701A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00701A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00701A8A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c09a6e8f8573bf0e7d5959e8d3b8d8193f8266cf4bb6d7cb891fbf6730bacc1
Instruction ID: 07875626d4c2c0a5c067c9373627ac1f45355e87ff86866b07fa087b240981ca
Opcode Fuzzy Hash: 1c09a6e8f8573bf0e7d5959e8d3b8d8193f8266cf4bb6d7cb891fbf6730bacc1
Instruction Fuzzy Hash: BC11277AA01219FFEB11DBA4CD85FADBBB8EB08750F204191EA00B7290D6716E50DB94

Function 0070E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0070E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0070E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0070E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0070E24D

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b7f8cb10388a9bfeb79fb6767a3a494d74b205f675169eb3daccc901065b7d07
Instruction ID: 677e0c96268b3ac1ab7e6fc497e1ce76bf1ceafbefd9fcc5e74b21e40d18c65d
Opcode Fuzzy Hash: b7f8cb10388a9bfeb79fb6767a3a494d74b205f675169eb3daccc901065b7d07
Instruction Fuzzy Hash: 3D110872904218BBD7019BAC9C09AAE7FACEB45355F008719F914E32D0D278C90087A5

Function 006CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,006CCFF9,00000000,00000004,00000000), ref: 006CD218
GetLastError.KERNEL32 ref: 006CD224
__dosmaperr.LIBCMT ref: 006CD22B
ResumeThread.KERNEL32(00000000), ref: 006CD249

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 7e2b4f74ebeca40e609a52cb6a36393b4a376e25e46ba7e7a199bcf6014047ca
Instruction ID: a9ba343605694bdd57d1f714f1e1bde960490ec77ed3be5f4be23de069d13b74
Opcode Fuzzy Hash: 7e2b4f74ebeca40e609a52cb6a36393b4a376e25e46ba7e7a199bcf6014047ca
Instruction Fuzzy Hash: CF01D276805208BBDB215BA5DC09FFA7A6FDF81331F20422DFA25922D0CB75CA01D7A5

Function 00739EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

GetClientRect.USER32(?,?), ref: 00739F31
GetCursorPos.USER32(?), ref: 00739F3B
ScreenToClient.USER32(?,?), ref: 00739F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00739F7A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 43070528ff14cddbb00e7aa67e644a8b207755ad5104f14c2b19880d00dcd2a9
Instruction ID: 22c1cdf2f408816bf215f5e45cef7caa791e1ee90fd35623742ead1a4ae35a1e
Opcode Fuzzy Hash: 43070528ff14cddbb00e7aa67e644a8b207755ad5104f14c2b19880d00dcd2a9
Instruction Fuzzy Hash: 8C119A3290011AEBEB11EFA8C849DEE77B8FB05312F104451FA01E3042C378BA81CBA5

Function 006A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006A604C
GetStockObject.GDI32(00000011), ref: 006A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 006A606A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5ea2ad4a1915ea601ca66d4db86ece266ade7542b7199030d30dfa3f09aa92b0
Instruction ID: ab184efe63ce1a2bab8293ef35adbb6ad91f23feb617a32087b4c7560d529f16
Opcode Fuzzy Hash: 5ea2ad4a1915ea601ca66d4db86ece266ade7542b7199030d30dfa3f09aa92b0
Instruction Fuzzy Hash: 7211AD72101548BFEF125FA4CD44EEABB6AEF093A5F084205FA1462120C7369CA0EFA0

Function 006C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 006C3B56

Part of subcall function 006C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006C3AD2
Part of subcall function 006C3AA3: ___AdjustPointer.LIBCMT ref: 006C3AED

_UnwindNestedFrames.LIBCMT ref: 006C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 006C3BA4

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 55cb905d6de44418e566d85ad83751043889f8ca63a1a9611b40e0da82845818
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 60011732100148BBDF129E95CC42EEB3B6EEF58754F04801CFE4896221C632E9619BA4

Function 006D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006A13C6,00000000,00000000,?,006D301A,006A13C6,00000000,00000000,00000000,?,006D328B,00000006,FlsSetValue), ref: 006D30A5
GetLastError.KERNEL32(?,006D301A,006A13C6,00000000,00000000,00000000,?,006D328B,00000006,FlsSetValue,00742290,FlsSetValue,00000000,00000364,?,006D2E46), ref: 006D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006D301A,006A13C6,00000000,00000000,00000000,?,006D328B,00000006,FlsSetValue,00742290,FlsSetValue,00000000), ref: 006D30BF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e597fe5e62e06e562f9e0594dfd7d4fae314687b7264613e4546f391bcba642b
Instruction ID: edd2abc9aee5fe55d9f69aba9c4503bcc2604d87a9ae14280b7b4d9d1dd34b29
Opcode Fuzzy Hash: e597fe5e62e06e562f9e0594dfd7d4fae314687b7264613e4546f391bcba642b
Instruction Fuzzy Hash: 30012B32B01332ABDB314B78AC449977B9AAF45BA1B144621F905F3340C725D901C7E5

Function 00707464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0070747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00707497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007074CA

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 6d1567be12768acec095c2abfc6ca679bb89b66d0e84741a46ab2091b8faa430
Instruction ID: f20017c2cd0a21f5da66b260f78f5a117a39ab113914098605e7c7b22555c907
Opcode Fuzzy Hash: 6d1567be12768acec095c2abfc6ca679bb89b66d0e84741a46ab2091b8faa430
Instruction Fuzzy Hash: E211ADB5A05394EBF7208F14EC08B927FFCEB00B14F108669B656E6191D7B8F904DB60

Function 0070B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B126

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a9fb99f5097d2894675ade070509fc051c3149b9fbc73718ef788bd10052e62c
Instruction ID: 0b2c0422e17d6ef115876d7dc00a661382cb1836530c4f3ca71b4c57bceff1bb
Opcode Fuzzy Hash: a9fb99f5097d2894675ade070509fc051c3149b9fbc73718ef788bd10052e62c
Instruction Fuzzy Hash: CC118471C0151CD7DF009FE4D9596EEBFB8FF09711F108185D941B2181CB385A50DB55

Function 00737E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00737E33
ScreenToClient.USER32(?,?), ref: 00737E4B
ScreenToClient.USER32(?,?), ref: 00737E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00737E8A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a11adc9760178f0018c459973a6095de3451fe39945ef116ac853050e4658f28
Instruction ID: d29ddffece641122fe8ee7dc79e98ed856d1a3b83821b39da902b03984c59b70
Opcode Fuzzy Hash: a11adc9760178f0018c459973a6095de3451fe39945ef116ac853050e4658f28
Instruction Fuzzy Hash: 031143B9D0020AAFDB51CF98C8849EEBBF5FB08311F509056E915E2210D735AA54CF54

Function 00702DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00702DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00702DD6
GetCurrentThreadId.KERNEL32 ref: 00702DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00702DE4

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8212fda1a2ff21b1d632b69b5ab4c4a5551e28113e5fe18a940c64bb2e3f6dea
Instruction ID: 02bfa9d0bdbf2e4fe957939f8c9f060981df0cff9d479c62a1d2a538034b92a0
Opcode Fuzzy Hash: 8212fda1a2ff21b1d632b69b5ab4c4a5551e28113e5fe18a940c64bb2e3f6dea
Instruction Fuzzy Hash: 2EE09272201224FBEB211B729C0FFEB3EACEF42BA2F004115F105E10819AA8C841C7B1

Function 00738863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006B9693
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96A2
Part of subcall function 006B9639: BeginPath.GDI32(?), ref: 006B96B9
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00738887
LineTo.GDI32(?,?,?), ref: 00738894
EndPath.GDI32(?), ref: 007388A4
StrokePath.GDI32(?), ref: 007388B2

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0c5e8b587a6ed49cd5ae2d23818e9cb5e35bfbce6b9f63c52e6a763fa4a63347
Instruction ID: 8eec4a073444d2d3fff57d012b1bbc74a0a9df9a9f22f90607adb9cee09bdd28
Opcode Fuzzy Hash: 0c5e8b587a6ed49cd5ae2d23818e9cb5e35bfbce6b9f63c52e6a763fa4a63347
Instruction Fuzzy Hash: FBF03A36045698BAEB135FA8AC09FCA3B69AF06311F44C000FB12751E2C7795551DFA9

Function 006B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006B98CC
SetTextColor.GDI32(?,?), ref: 006B98D6
SetBkMode.GDI32(?,00000001), ref: 006B98E9
GetStockObject.GDI32(00000005), ref: 006B98F1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 2a41c673396df09ed3783340c870f523bb16b5ead75e28fb3f5589f167298d88
Instruction ID: 04af1a20d3a586305edd793162be9faf7095f4bed8262a695bf49f33e2f2e153
Opcode Fuzzy Hash: 2a41c673396df09ed3783340c870f523bb16b5ead75e28fb3f5589f167298d88
Instruction Fuzzy Hash: 1EE06571244248AAEB225B74AC09BE83F51AB11336F14C219F7F5641E1C77646509B10

Function 0070162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00701634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007011D9), ref: 0070163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007011D9), ref: 00701648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007011D9), ref: 0070164F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 50767dcca5e92bfe05ae0758b8a23f5a84c848f36bd1bd2bf3aafd09a7d2f003
Instruction ID: 7dc8b0f16886b695d5dd9cba436ebc7a642361c0cc47068848f1b66d2a0d3002
Opcode Fuzzy Hash: 50767dcca5e92bfe05ae0758b8a23f5a84c848f36bd1bd2bf3aafd09a7d2f003
Instruction Fuzzy Hash: FBE08C72602211EBE7201FA0AE0DB873BBCAF44793F14C808F245E9080EB3D8444CB68

Function 006FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006FD858
GetDC.USER32(00000000), ref: 006FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006FD882
ReleaseDC.USER32(?), ref: 006FD8A3

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3ece94bd57b17d5a8f4072df4cf53a6f6cdbcd7a45fc5fca08de0bf7cc6a66de
Instruction ID: f5f5fc4ad36d06a530f72a7a13abaae68169aff388d09403a812d63e302e9392
Opcode Fuzzy Hash: 3ece94bd57b17d5a8f4072df4cf53a6f6cdbcd7a45fc5fca08de0bf7cc6a66de
Instruction Fuzzy Hash: 24E01AB1800204EFDB42AFA0D80D66DBBB2FB08312F10C009F946F7260C73D9942AF44

Function 006FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006FD86C
GetDC.USER32(00000000), ref: 006FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006FD882
ReleaseDC.USER32(?), ref: 006FD8A3

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 33a6034bc7d28313913e6f958dd6ec4f833f5941a7932fce9e9c97da1c2eef1c
Instruction ID: 06053dd8a283a46042be5f26486f9f8030e6ca08c2904ad3db02b4296109c6cc
Opcode Fuzzy Hash: 33a6034bc7d28313913e6f958dd6ec4f833f5941a7932fce9e9c97da1c2eef1c
Instruction Fuzzy Hash: FAE01AB1800200DFDB42AFA0D80D66DBBB2BB08312F108008F946F7260C73D99019F44

Function 00714D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00714ED4

Strings

*, xrefs: 00714E10
LPT, xrefs: 00714DFB

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 7e0bf935eb45fb81232b02997cc406a297b449c7afd741d2f4b57ad738100174
Instruction ID: 380d792099f740d35a200d0cdd7255964960e6ab881e309ca01922026dbfb50d
Opcode Fuzzy Hash: 7e0bf935eb45fb81232b02997cc406a297b449c7afd741d2f4b57ad738100174
Instruction Fuzzy Hash: E2914F75A002049FDB14DF58C484EA9BBF5BF49314F19809DE80A9F3A2D735EE86CB91

Function 006CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006CE30D

Strings

pow, xrefs: 006CE2E5, 006CE302

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8739af0257dc86b25a4d7807a658649d64bd2f55c0986f66fdd62dcc056fcae8
Instruction ID: d0699a20efbd56ded19ee46f85ee4a60b0237fe4a4f69d456a7cd55e7b5d96e0
Opcode Fuzzy Hash: 8739af0257dc86b25a4d7807a658649d64bd2f55c0986f66fdd62dcc056fcae8
Instruction Fuzzy Hash: A9512C61E0C20196CB157714C901BF93BB7DF40740F748D5EF495423A9FB3A8D969A8B

Function 00727771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(006F569E,00000000,?,0073CC08,?,00000000,00000000), ref: 007278DD

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

CharUpperBuffW.USER32(006F569E,00000000,?,0073CC08,00000000,?,00000000,00000000), ref: 0072783B

Strings

<sv, xrefs: 007277C8

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sv
API String ID: 3544283678-1866742746
Opcode ID: f63d274619b22cb2eae6aea58a7e7388630abd9a8e31dee809daeeabf61d6622
Instruction ID: 2719ef12dbf4142b5d545e4ae0fa7c60a60d5c05b4627e4333154bc40ddd2099
Opcode Fuzzy Hash: f63d274619b22cb2eae6aea58a7e7388630abd9a8e31dee809daeeabf61d6622
Instruction Fuzzy Hash: 57614B72914228AACF48FBE4DD91DFDB379BF15300B444129F542A7191EF38AE49CBA4

Function 006BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 006BE1B1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ff2f4bf432a8d9bfe4132cc2001fc11cfe91351041b8c99175a16080483e32e8
Instruction ID: d498d0343c4267ab09f3b0037ba25a3556cdfb5c41fc35754e43c592c5d0c357
Opcode Fuzzy Hash: ff2f4bf432a8d9bfe4132cc2001fc11cfe91351041b8c99175a16080483e32e8
Instruction Fuzzy Hash: B651357550424ADFDB15EF28C4816FA7FA6EF15310F248069F9519B3E0D6369E83CBA0

Function 006BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 006BF2BB

Strings

@, xrefs: 006BF2AF

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8a3460f0d368455acd96c9631a9675e70b5470ff22ccae4e73a992ff0629645b
Instruction ID: 47adc3b50507cccab70cc0f8a9a120fe0df1137806193d7eedc84049402fbd54
Opcode Fuzzy Hash: 8a3460f0d368455acd96c9631a9675e70b5470ff22ccae4e73a992ff0629645b
Instruction Fuzzy Hash: 7E5155714087449FD360AF10DC86BABBBF9FFC5311F81884CF199411A5EB709929CB6A

Function 00725745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007257E0
_wcslen.LIBCMT ref: 007257EC

Strings

CALLARGARRAY, xrefs: 007257E6, 007257EB

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: f78a521b2ab1a52baba830e8894d3cf2952804bce1fb6070750e5fc1e138207b
Instruction ID: 1ca4833f12977a7e57f3f1131e7467ff8c43b1360961df917bb079ba9e2b9047
Opcode Fuzzy Hash: f78a521b2ab1a52baba830e8894d3cf2952804bce1fb6070750e5fc1e138207b
Instruction Fuzzy Hash: F541AE71A00219DFCB04EFA8D8858BEBBF5FF59320F10412DE505AB291E7789D81CBA0

Function 0071D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0071D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0071D13A

Strings

|, xrefs: 0071D10B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b081ea02184302a211d628678fecbb037cb01e53efa27388ee23cc059e99d891
Instruction ID: d5d04fed221c9a48561f98829a212e64ff3283cf51d3883e79be08875709a305
Opcode Fuzzy Hash: b081ea02184302a211d628678fecbb037cb01e53efa27388ee23cc059e99d891
Instruction Fuzzy Hash: 89314C71D00219ABCF55EFA4CC85AEEBFBAFF05304F000019F915A6161EB35AA46DF64

Function 0073356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00733621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0073365C

Strings

static, xrefs: 007335BC

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 72ac8f72751d4ba2bdf03acf71cf2c5ecc140561ba7fa36424d601e69bc398c0
Instruction ID: e92b48c008ba8289c84592fb4b4fd11d28e21c16e2dce4cd9a2c3078971cc167
Opcode Fuzzy Hash: 72ac8f72751d4ba2bdf03acf71cf2c5ecc140561ba7fa36424d601e69bc398c0
Instruction Fuzzy Hash: 09318F71110204AEEB209F38DC41EFB73A9FF88720F00961DF8A5D7291DA39AD91C764

Function 00734537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0073461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00734634

Strings

', xrefs: 0073458E

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f7924947cd4043820ad57696475f9a79a8aaa65c02c5733c0a50822a31dbc231
Instruction ID: bd5460d5464f1494abc2f3d9e8183eda24a51825f66d06cf66b74de01e418e8e
Opcode Fuzzy Hash: f7924947cd4043820ad57696475f9a79a8aaa65c02c5733c0a50822a31dbc231
Instruction Fuzzy Hash: 9C312775A01219DFEB18CFA9C981BDABBB5FF09300F10406AE904AB342D774A951CF90

Function 007331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0073327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00733287

Strings

Combobox, xrefs: 00733249

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 80ff142f0180c3eadb1b048b1c4e0e4c49b356d9245d7093901fd99a9c210b6c
Instruction ID: d656f0d648cca27ed5edef75a0d3f104a82580140acc889cdff4c24a0d6cd8b2
Opcode Fuzzy Hash: 80ff142f0180c3eadb1b048b1c4e0e4c49b356d9245d7093901fd99a9c210b6c
Instruction Fuzzy Hash: 1C11B271300208BFFF259E54DC85EBB376AFB943A4F104228F9189B292D6799D518B60

Function 00733710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006A604C
Part of subcall function 006A600E: GetStockObject.GDI32(00000011), ref: 006A6060
Part of subcall function 006A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006A606A

GetWindowRect.USER32(00000000,?), ref: 0073377A
GetSysColor.USER32(00000012), ref: 00733794

Strings

static, xrefs: 00733757

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8938b27d672b622aba348ddfe525119fc029c81fd2b4a73af667b70d47a17637
Instruction ID: 0f02cc29e91ff60009b56d32336371a543b1772bdf16210bbdef576eb218b406
Opcode Fuzzy Hash: 8938b27d672b622aba348ddfe525119fc029c81fd2b4a73af667b70d47a17637
Instruction Fuzzy Hash: 15113AB2610209AFEF11DFB8CC46EFA7BB8FB09354F004518F955E2251D739E8619B50

Function 0071CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0071CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0071CDA6

Strings

<local>, xrefs: 0071CD66

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d5611ccf024b875ea371f7560577cebe58250e06c1e20ac77f06badf47ddd419
Instruction ID: d826f91e8164e0d40a33be94d004a9761df9b81b87a214f3b318d770ce0b24c9
Opcode Fuzzy Hash: d5611ccf024b875ea371f7560577cebe58250e06c1e20ac77f06badf47ddd419
Instruction Fuzzy Hash: 5F11C6B13856317AD7364BAA9C45EE7BE6CEF127A4F404226B589931C0D7789880D6F0

Function 00733429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007334BA

Strings

edit, xrefs: 0073348F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 032a9317d87f32e094d2b996f7224adf73b5d45a32df801df8a9cd171a72b331
Instruction ID: 6a4752b9bd628c76bc7483207769ade15b667a4e164ddd38758bb9721ce5fda9
Opcode Fuzzy Hash: 032a9317d87f32e094d2b996f7224adf73b5d45a32df801df8a9cd171a72b331
Instruction Fuzzy Hash: CE118C71100248ABFB228F64DC44ABB376AEB05374F508324F965A31E2C779EC919B64

Function 00706C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00706CB6
_wcslen.LIBCMT ref: 00706CC2

Strings

STOP, xrefs: 00706CBC, 00706CC1

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 7fdfe912587f236c62627953dfc725fefe5e014bf2b10dcca54082272902171b
Instruction ID: d62c44138015cb7e813d5ad0481e7fe3c7554d8ff28cbfadafe9fa1f0b3bb63d
Opcode Fuzzy Hash: 7fdfe912587f236c62627953dfc725fefe5e014bf2b10dcca54082272902171b
Instruction Fuzzy Hash: 8A010432600526CBDB20AFBDDCA09BF37F5EA617107100629E852D61D0EB39EC20C660

Function 00701CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 00703CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00703CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00701D4C

Strings

ComboBox, xrefs: 00701CEB
ListBox, xrefs: 00701D16

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 078c7e5859f6eb6aa7a3fd990ac245f0bd44cc7f9fc8f91de21c7c9f4ef6034b
Instruction ID: 862d93d1ebe09a3965cf9df23cd92b03dba2ab9326abe4abf060d1a9f9eb33e3
Opcode Fuzzy Hash: 078c7e5859f6eb6aa7a3fd990ac245f0bd44cc7f9fc8f91de21c7c9f4ef6034b
Instruction Fuzzy Hash: 9201B171701628EBDB08FBA4CC55CFE73A9EB46360B540A19F832672C1EA3859088B70

Function 00701BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 00703CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00703CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00701C46

Strings

ComboBox, xrefs: 00701BE5
ListBox, xrefs: 00701C10

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d294892f81f5a38de2a27d4562fa79c088066476d2ee0eaa268ca9da7de566f8
Instruction ID: bc815129f9de1db41dea1faa9e7e9bd2fd416a79f76ed1abbb6fba9998c3d6e4
Opcode Fuzzy Hash: d294892f81f5a38de2a27d4562fa79c088066476d2ee0eaa268ca9da7de566f8
Instruction Fuzzy Hash: 5B01F7B1680104E7EB08FB90C962DFF73E89B12340F500519B816732C2EA28DE4887B5

Function 00701C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 00703CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00703CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00701CC8

Strings

ComboBox, xrefs: 00701C69
ListBox, xrefs: 00701C94

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 39c441c3acd607eae7eac9d324193b41a15e3e52c6fa4ba5fbfb535ed77c19f9
Instruction ID: 699e9114cdf13f06b5c503bc0da3cd8efcc4a4d415a416fd43a013b38ff0ae15
Opcode Fuzzy Hash: 39c441c3acd607eae7eac9d324193b41a15e3e52c6fa4ba5fbfb535ed77c19f9
Instruction Fuzzy Hash: 1A01DBB1640114E7EB04F790CA15EFF73EC9B12340F640519B806732C1EA28DF08D675

Function 006BA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006BA529

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Strings

3yo, xrefs: 006BA545, 006BA54D, 006BA552
,%w, xrefs: 006BA509

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%w$3yo
API String ID: 2551934079-2742024474
Opcode ID: fc54703227c2c0ebe72bd0839bccc9a957028deec153468e01d2f5970160da5a
Instruction ID: ee4f5bd71e4da42e349e96b56d8315903e9719f36d3230e36a5bddc59dfe892b
Opcode Fuzzy Hash: fc54703227c2c0ebe72bd0839bccc9a957028deec153468e01d2f5970160da5a
Instruction Fuzzy Hash: 6D01F77270061497DA24F7A8D81BAED3397DB05750F50406CF516572C3DE149E828BAF

Function 00701D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 00703CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00703CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00701DD3

Strings

ComboBox, xrefs: 00701D75
ListBox, xrefs: 00701DA0

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 73e4c1af796d41fd73198c33d9da301421575e3e3582c579825c07eb3c548092
Instruction ID: 495f1e0f69708d7a564278dc9deb6e7238bccc7a068975197edac4b2febb2965
Opcode Fuzzy Hash: 73e4c1af796d41fd73198c33d9da301421575e3e3582c579825c07eb3c548092
Instruction Fuzzy Hash: F8F0A4B1B41614E6DB08F7A4CC56EFF77BCAB02350F540E19B826A72C2DA6859088674

Function 006BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 006C0668

Part of subcall function 006C32A4: RaiseException.KERNEL32(?,?,?,006C068A,?,00771444,?,?,?,?,?,?,006C068A,006A1129,00768738,006A1129), ref: 006C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 006C0685

Strings

Unknown exception, xrefs: 006C0692

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f852a276c94fd8dea90df8d82a26725d399c1e7849e6a658ee7c1b7270de707c
Instruction ID: a1702f1184182b609d58283a6e73d5cfd1780fdd8833ab9c8d9f41e0c6814faf
Opcode Fuzzy Hash: f852a276c94fd8dea90df8d82a26725d399c1e7849e6a658ee7c1b7270de707c
Instruction Fuzzy Hash: B5F0F474900208B78F40BAA4DC46EED776EDE00300B60413DB814C16A2EF71DB568684

Function 00738172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00773018,0077305C), ref: 007381BF
CloseHandle.KERNEL32 ref: 007381D1

Strings

\0w, xrefs: 0073818A

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0w
API String ID: 3712363035-2344672426
Opcode ID: 3ecd2480ee3a11ffef7800158cf322f60cf33ae3a8c269de393054e0365e5d58
Instruction ID: 027307d08a05b4c24128c536850dd9d17de4fcefc19e8f939d3087dec99fabd6
Opcode Fuzzy Hash: 3ecd2480ee3a11ffef7800158cf322f60cf33ae3a8c269de393054e0365e5d58
Instruction Fuzzy Hash: 49F05EB2640304BAF6206761AC45FB73A5EDB05791F008425BB0CE51A2D67E8A50E3BD

Function 0072747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00727493
_wcslen.LIBCMT ref: 007274B9

Strings

3, 3, 16, 1, xrefs: 00727483

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2dda1119b763f502f0c07759c560333b3ecbfe427bfc41b488aab71c0fd36c28
Instruction ID: d548fcea76ba1f3d0126bc40bbcd8332caba2db2eae15de1e3a7daf8deebef6e
Opcode Fuzzy Hash: 2dda1119b763f502f0c07759c560333b3ecbfe427bfc41b488aab71c0fd36c28
Instruction Fuzzy Hash: 11E02B026042B0509279327ABDC1EBF578ACFC5790710182FF981C2266EEA88D91D3E4

Function 00700B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00700B23

Strings

AutoIt, xrefs: 00700B17
Error allocating memory., xrefs: 00700B1C

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f32be2b856d734583b541f3ce46adb89b3d76ea786021630a235a7b770323593
Instruction ID: b27f989f0bb24b3be928530f97b0950274c1b1f0a970affeacad3dc852357371
Opcode Fuzzy Hash: f32be2b856d734583b541f3ce46adb89b3d76ea786021630a235a7b770323593
Instruction Fuzzy Hash: B5E0D87124431836E25137547C03FD97A858F05B21F10042EFB58654D38AD6689047ED

Function 006C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006C0D71,?,?,?,006A100A), ref: 006BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,006A100A), ref: 006C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006A100A), ref: 006C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006C0D7F

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 61ea630513973bc695a938c57b4741989a33917d0fe915728c8d3f44468dbf3f
Instruction ID: 8482a736767f329aea34eb69809c8853b1534e69e03d4064a3589a53ac118fc4
Opcode Fuzzy Hash: 61ea630513973bc695a938c57b4741989a33917d0fe915728c8d3f44468dbf3f
Instruction Fuzzy Hash: 05E06DB02003118BF3609FB8E8047527BE1FF00B81F00897DE886C6662DBB9F4848B91

Function 006BE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006BE3D5

Strings

0%w, xrefs: 006BE3B5
8%w, xrefs: 006BE3CA

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%w$8%w
API String ID: 1385522511-170289743
Opcode ID: deaaf342442e618434945774ce0856d6156ca2e5cad19b217696c0e80c35b117
Instruction ID: 07d72b40bd8fbb58b776ce04002d56d0c0df6be5624bb51b0cedc66a8bb86c4d
Opcode Fuzzy Hash: deaaf342442e618434945774ce0856d6156ca2e5cad19b217696c0e80c35b117
Instruction Fuzzy Hash: 67E02671448910CBCA049728B854ED83397EB04368B1091FCE12A872D3DB3D68C3874C

Function 00713017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0071302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00713044

Strings

aut, xrefs: 00713038

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: dd7e8893bbe8f651c8f45fd737fce027b20f8524c0caaf26900e22179a2930ea
Instruction ID: 8d380a8cbfcbf10de0ce1b07167216f253c52997878b15e6a74cee53ee1be31e
Opcode Fuzzy Hash: dd7e8893bbe8f651c8f45fd737fce027b20f8524c0caaf26900e22179a2930ea
Instruction Fuzzy Hash: D0D05B7250032467DA2097949C0DFC73A6CD704751F4042517A55E6091DAB49544CBD4

Function 006FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006FD220

Strings

X64, xrefs: 006FD2A8
%.3d, xrefs: 006FD22B

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a8048da66445e3dc6ea9895ddcb8617a5dc981f9568c7ab8f5c191ece59beab1
Instruction ID: 5c94e97133705ebf4bc5e1842d1244b6981e0bca1c51310a0bb406a335778089
Opcode Fuzzy Hash: a8048da66445e3dc6ea9895ddcb8617a5dc981f9568c7ab8f5c191ece59beab1
Instruction Fuzzy Hash: BBD012E180810CE9CB9097D0CC458FAB37FBB08341F508452FB06A1040E628E64AA7A1

Function 00732356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0073236C
PostMessageW.USER32(00000000), ref: 00732373

Part of subcall function 0070E97B: Sleep.KERNEL32 ref: 0070E9F3

Strings

Shell_TrayWnd, xrefs: 00732365

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 746ddf131aa25be72839255e1b0a06a3ddbe5bfe4739ad03c0842e17e1ae8aeb
Instruction ID: 4ddda38d093197e64ff5760f1bef0da616df767a44edbbda5a617e4f73a86b3c
Opcode Fuzzy Hash: 746ddf131aa25be72839255e1b0a06a3ddbe5bfe4739ad03c0842e17e1ae8aeb
Instruction Fuzzy Hash: 25D0C972391310BAF665A770DC0FFC676549B05B11F508A567646BA1D0C9A8B8018B58

Function 00732322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0073232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0073233F

Part of subcall function 0070E97B: Sleep.KERNEL32 ref: 0070E9F3

Strings

Shell_TrayWnd, xrefs: 00732325

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 151dc7b74be48d65e009223d57b87ff2a8aa16a940d69d3d4273694e28c22c39
Instruction ID: 7c7511f28386dba0504acf84e60c52a219e631ad6035ec6a4aaee489897cec00
Opcode Fuzzy Hash: 151dc7b74be48d65e009223d57b87ff2a8aa16a940d69d3d4273694e28c22c39
Instruction Fuzzy Hash: 62D0C976394310F6E664A770DC0FFC67A549B00B11F108A567646BA1D0C9A8A8018B58

Function 006DBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 006DBE93
GetLastError.KERNEL32 ref: 006DBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006DBEFC

Memory Dump Source

Source File: 00000000.00000002.2098474297.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2098405527.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565111.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098666103.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098694710.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1389b68b7396778ba9cce13daed14df9289bb5bf6110e238ceca064e2ba58130
Instruction ID: 0c0665664dda1b0b2812920e0a93df7f7655378ce3afb4052437c7a074c66f82
Opcode Fuzzy Hash: 1389b68b7396778ba9cce13daed14df9289bb5bf6110e238ceca064e2ba58130
Instruction Fuzzy Hash: 02411434E00246EFCB218FA5CC44AFA7BA6EF01350F16916EF959973A9DB308D01DB54

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49736
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49965

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2115386499.0000017E475B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2231463033.0000017E45076000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2232393690.0000017E45076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2199923536.0000017E4F3B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234892830.0000017E4F3B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176244136.0000017E4F3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2199923536.0000017E4F3B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176244136.0000017E4F3B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/8 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2255409290.0000017E4E3DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2201363561.0000017E4E3DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2177051042.0000017E4DD4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202295478.0000017E4DD4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2200814143.0000017E4E9F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2177051042.0000017E4DD4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202295478.0000017E4DD4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2200814143.0000017E4E9F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2199923536.0000017E4F3B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258422028.0000017E472AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218258538.0000017E4E3C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2255409290.0000017E4E3DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2201363561.0000017E4E3DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2223369430.0000017E4DC39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2223369430.0000017E4DC39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2177051042.0000017E4DD4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202295478.0000017E4DD4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2200814143.0000017E4E9F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2177051042.0000017E4DD4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202295478.0000017E4DD4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2200814143.0000017E4E9F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242440236.0000017E48734000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242440236.0000017E48734000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2281747591.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242440236.0000017E48734000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257304427.0000017E480A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2198807936.0000017E4F780000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2199923536.0000017E4F3B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2231746286.0000017E43881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258422028.0000017E472AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2231746286.0000017E43881000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255409290.0000017E4E3DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2231746286.0000017E43869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2235385769.0000017E4F24D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2224506428.0000017E4718C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226688195.0000017E463F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218258538.0000017E4E3C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50019 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_df8b0b42-8c0b-490d-abf0-a82f16f60a0c.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_df8b0b42-8c0b-490d-abf0-a82f16f60a0c.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre